[Bug 637] ssh records that the user has logged out even though an sftp session is active

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sun Sep 14 04:39:03 EST 2003


http://bugzilla.mindrot.org/show_bug.cgi?id=637





------- Additional Comments From micah at cs.swt.edu  2003-09-14 04:39 -------
> wtmp is not for logins, it's for ttys.

  from UTMP(5) man page:

  "The file <utmp.h> declares the structures used to record information
   about current users in the file utmp, logins and logouts in the file
   wtmp, and last logins in the file lastlog."

  furthermore:

  "Next, the login program opens the file wtmp, and appends the user's utmp
   record.  The same utmp record, with an updated time stamp is later ap-
   pended to the wtmp file when the user logs out (see init(8))."

  an empty tty can be included in the log for that user. 

> using it for sftp is an abuse and causes portability nightmares.

  correct me if I'm wrong, but you already have "ssh_login.c", etc so the
portable wtmp logging code has been there for a while.  it's simply a matter of
incorporating the existing functionality in the write place i.e. whenever a
subsystem is called.


as it stands, ssh provides an insecure login method where a user can go
undetected by exploiting the subsystem and thus rendering commands such as 'who'
and 'last' useless...



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list