In this guide, we are looking into a PAM implementation. By default, SFTP chroots and non-chroot users last login information will not be saved, To get the same we need to configure the PAM.
While the security team look for each and every log from our server it’s system admin responsible to implement the logging system, This guide applies for both RHEL 6 & 7 based operating systems.
Enabling last log information for SFTP users in Red Hat Enterprise Linux and variants.
Before starting with implementing PAM let us verify whether pam module enabled and PAM support enabled in sshd_config using a simple grep.
# grep "pam_lastlog" /etc/pam.d/sshd # grep "UsePAM" /etc/ssh/sshd_config
Edit and configure the PAM settings to “Yes” in SSHD configuration to start using PAM.
# vi /etc/ssh/sshd_config UsePAM=yes
Enable pam_laslog.so by adding in the first line of the session section above the SELinux.
# vi /etc/pam.d/sshd
Add only the first line which contains pam_lastlog.so
session required pam_lastlog.so # Append with only this line. session required pam_selinux.so close session required pam_loginuid.so
Restart the SSHD service and check for the status.
# systemctl restart sshd # systemctl status sshd
Finally, the last log will start to log all SFTP chroot user and non-chroot user log-in information under the wtmp file.
That’s it, We have managed to enable last log information for SFTP Chroot and non-chroot users.
A default configuration which not in place has been implemented using PAM for chroot users in RHEL based operating systems. This will help us to find which user accessing server for SFTP service, Its a key factor for security audit purpose.
Provide your feedback in below comment section we are looking forward to hearing something from you.