Matching Certificate-Based-Login Messages

PrivX users logging in with certificate-based authentication generate log messages both on the PrivX server and on the target host. These messages can be matched by the certificate serial.

For example, an SSH connection to a Unix host may generate the following messages:

  • On the PrivX server (in /var/log/messages):
Dec 5 15:57:27 SSH-PRIVX-AUDIT[6825]:
[event="Authorization-certificate-granted" eventID="401"
message="certificate-created" target=""
  • And on the target host (typically in /var/log/secure or /var/log/auth.log):
Dec  5 15:57:28 ld-jizhouya sshd[22799]: Accepted publickey for alice
from port 38126 ssh2: RSA-CERT ID alice@
serial 2571351803943628705 (serial 2571351803943628705)
CA RSA SHA256:aVOPjQAB2b+y64OJ8UozVe5EKegsrCClE9UQN/MEq4c

As another example, an RDP connection to a Windows host may generate:

  • On the PrivX server (in /var/log/messages):
Dec 5 08:24:41 SSH-PRIVX-AUDIT[14189]:
[event="Authorization-certificate-granted" eventID="401"
SSH-PrivX-service="AUTHORIZER" message="RDP-certificate-created"
sha1-fingerprint="..." sha256-fingerprint="..."
target="" upn="" username="alice"]
  • And on the target host (in Windows Event Viewer→Windows Logs→Security→Event details):
Audit Success 5.12.2018 15.25.09 Microsoft-Windows-Security-Auditing
4768 Kerberos Authentication Service "A Kerberos authentication
ticket (TGT) was requested.

Account Information:
Account Name: alice
Supplied Realm Name: EXAMPLE.COM
User ID: EXAMPLE\alice

Service Information:
Service Name: krbtgt
Service ID: EXAMPLE\krbtgt

Network Information:
Client Address: ::1
Client Port: 0

Additional Information:
Ticket Options: 0x40810010
Result Code: 0x0
Ticket Encryption Type: 0x12
Pre-Authentication Type: 15

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number: 1A654E1CD607153C
Certificate Thumbprint: 1580AB1E1428B94B5DCF2EB13145B524B864D65F

Was this page helpful?