I need to keep track of all SSH connections on my server. In my /etc/hosts.allow I have something like this:
sshd: ALL : spawn ( echo "`date` from %u %a " >> /var/log/ssh/%d.log ) &
where %a logs the client IP, and %u is supposed to log the username. But instead %u just logs unknown. Is there a way to fix this? I need to log both the IP and the username for each connection.
The %u client user name is only known if the client side machine is running identd and provides the username on request.
tcp wrappers i.e. tcpd does the identd lookup and returns "unknown" if it doesn't get an answer from the client machine.
Running identd used to be common practice back in the 90s, but is extremely uncommon these days - and many clients (Windows machines, for example) don't even have an identd or similar program.
In short, you get "unknown" because the client machine isn't providing that information.
Your sshd should be logging all connection attempts anyway - check /var/log/auth.log or /var/log/syslog or /var/log/messages (depending on your distribution and on how your syslogd is configured).
