How To Enable ssh Login Log In Linux

jomos | April 24, 2011

To access the particular sytem on a network to operate required device or to execute the commands through a remote system , we use several protocols like rlogin , rsh,rcp,rdist and ssh . among those programmes , SSH protocol is best for secure communication over insecure channels. Secure Shell i.e SSH provides strong authentication for communication.

One of the main responsibility of the system administrator is matain the logs of hardware as well as the services. As we know ssh protocol provide remote login facility, and hence its important to maintain login logs. System admin can achieve this by configuring in syslogd services. In linux syslogd is the unix logging service maintains the logs which are sent by the programmes to the syslog daemon, syslogd, which forwards them to another destination such as a console or a file. Destination are specified in the syslog configuration file /etc/syslog.conf

Example: 1

[root@localhost ~]# cat /etc/syslog.conf | grep -i ssh
# sshlog
*.* /var/log/sshd/sshd.log

By default ssh logging is enabled, if not enable then enable SSH logging we need to configure the syslog.conf by adding in /etc/syslog.conf file.

*.* /var/log/sshd/sshd.log

When ssh server runs it will produce the log messages in sshd.log to describe what is going on.These log messages will help the system administrator to track the system details like who logged in and out to trouble shoot the problem.

/etc/ssh/sshd_config file is a system wide configuration file for Open SSH service, which allows you to set options that modify the operation of the daemon. This configuration file contains keyword-value pairs, one per line, with keywords being case sensitive.

SyslogFacility AUTH and AUTHPRIV

Messages received by syslogd are processed according to their facility, which indicates a message`s orgin. Standard syslog facilities include KERN ( Messages for the OS Kernel), and DAEMON ( Messages from the Service or Daemon), USER ( Messages from the user processes), MAIL (Messages from the email System), and others. By default, the facility for SSH server messages is AUTHPRIV. This choice may be changed with the SSH keyword SyslogFacility, which determines the syslog facility code for logging SSH Messages.Other possible values of SyslogFacility are DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTHPRIV.

The option SyslogFacility specifies the facility code used when logging messages from sshd. The facility specifies the subsystem that produced the message–in our case, AUTH.
Normally, all authentication related messages are logged with the AUTHPRIV (or AUTH) facility [intended to be secure, and never seen by unwanted eyes], while normal operational messages are logged with the DAEMON facility.

Example 2

[root@localhost ssh]# cat sshd_config | grep -i SyslogFacility
#SyslogFacility AUTH
SyslogFacility AUTHPRIV

LogLevel

Gives the verbosity level that is used when logging messages from sshd. The possible other values are QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging, out-put.

If you want to record more information – such as failed login attempts – you should increase the logging level to VERBOSE.

Example 3:

Make sure to uncomment below lines to enable loglevel.