Matching Certificate-Based-Login Messages

PrivX users logging in with certificate-based authentication generate log messages both on the PrivX server and on the target host. These messages can be matched by the certificate serial.

For example, an SSH connection to a Unix host may generate the following messages:

  • ​On the PrivX server (in ​/var/log/messages​​):
Dec 5 15:57:27 privx.example.com SSH-PRIVX-AUDIT[6825]:
[event="Authorization-certificate-granted" eventID="401"
keyID="[email protected]:45910-serial-​​2571351803943628705​​"
message="certificate-created" target="127.0.0.1:45910"
username="alice"]
  • And on the target host (typically in ​/var/log/secure​ or ​/var/log/auth.log​​):
Dec  5 15:57:28 ld-jizhouya sshd[22799]: Accepted publickey for alice
from 192.0.2.102 port 38126 ssh2: RSA-CERT ID [email protected]:45910
serial ​2571351803943628705​​ (serial 2571351803943628705)
CA RSA SHA256:aVOPjQAB2b+y64OJ8UozVe5EKegsrCClE9UQN/MEq4c

As another example, an RDP connection to a Windows host may generate:

  • On the PrivX server (in ​/var/log/messages​​):
Dec 5 08:24:41 dhcp-10-1-54-160.hel.fi.ssh.com SSH-PRIVX-AUDIT[14189]:
[event="Authorization-certificate-granted" eventID="401"
SSH-PrivX-service="AUTHORIZER" message="RDP-certificate-created"
serial="​​1A654E1CD607153C​​"
sha1-fingerprint="..." sha256-fingerprint="..."
target="127.0.0.1:47390" upn="[email protected]" username="alice"]
  • And on the target host (in ​Windows Event Viewer→Windows Logs→Security→Event details​​):
Audit Success 5.12.2018 15.25.09 Microsoft-Windows-Security-Auditing
4768 Kerberos Authentication Service "A Kerberos authentication
ticket (TGT) was requested.

Account Information:
Account Name: alice
Supplied Realm Name: EXAMPLE.COM
User ID: EXAMPLE\alice

Service Information:
Service Name: krbtgt
Service ID: EXAMPLE\krbtgt

Network Information:
Client Address: ::1
Client Port: 0

Additional Information:
Ticket Options: 0x40810010
Result Code: 0x0
Ticket Encryption Type: 0x12
Pre-Authentication Type: 15

Certificate Information:
Certificate Issuer Name: 10.1.54.160
Certificate Serial Number: ​1A654E1CD607153C​​
Certificate Thumbprint: 1580AB1E1428B94B5DCF2EB13145B524B864D65F

Did this page help you?