SSH and forced wtmp entries ...

Andrew Bartlett abartlet at pcug.org.au
Wed May 9 10:15:35 EST 2001


Jim Knoble wrote:
> 
> Circa 2001-May-08 08:02:04 +0200 dixit Randolf Skerka:
> 
> : On Mon, May 07, 2001 at 03:03:03PM +0200, Markus Friedl wrote:
> : > try to use
> : >     ssh -t host command
> : >
> : > is this ok?
> :
> : No, doesn't work, tried it before :-(
> :
> : > why do you need wtmp? ssh just emulates the
> : > traditional rsh/rlogin behaviour. wtmp gets
> : > updated only if you allocate a tty.
> : >
> : > every login is registered in /var/log/authlog
> :
> : Well, wtmp is available on all platforms. HP-UX does not have a
> : /var/log/authlog for example.
> 
> I think what Markus meant is that sshd logs all logins via syslogd,
> via the 'auth' facility, unless you've explicity configured it not to.

But it does not show logouts, (except for SSH Win clients) and there is
no easy way to tell how many people are using the system.  (Considering
a time to reboot, for example).

PAM sesions should show the logouts, but my message regarding that
breakage seemed to be ignored...

> 
> : Why I need it? Simple, if somebody enters "ssh worldserver rm -rf /" I
> : would like to know who did it ... ok, bad example rm will remove wtmp
> : too but I think you know what I mean, right?
> 
> If you're worried about someone being able to do that, then you have
> granted too much authority to people you don't trust.

For my case, I don't trust my users - I give them a restricted shell and
sftp, and I would like to know (with the normal unix tools) when they
login, logout and from where.

-- 
Andrew Bartlett
abartlet at pcug.org.au



More information about the openssh-unix-dev mailing list