SSH and forced wtmp entries ...
Petri Kaukasoina
kaukasoi at elektroni.ee.tut.fi
Tue May 15 19:09:57 EST 2001
On Mon, May 14, 2001 at 01:42:45PM +0200, Randolf Skerka wrote:
> I told you how easy it is for a user to hide himselve from wtmp (ssh -l
> user xterm) he has an interactive shell, is logged by authlog, ok, but it's
> unclear if he is logged in at this moment.
Suppose sshd logged in wtmp. Here the X protocol is not routed via the ssh
connection but goes directly:
xhost + otherhost
ssh otherhost "xterm -display $DISPLAY < /dev/null >& /dev/null &"
After invoking xterm on the background the ssh session finishes and wtmp
shows that the user logged out immediately. But the user still has the
interactive shell.
More information about the openssh-unix-dev
mailing list