SSH and forced wtmp entries ...
Andrew Bartlett
abartlet at pcug.org.au
Tue May 15 19:55:16 EST 2001
Petri Kaukasoina wrote:
>
> On Mon, May 14, 2001 at 01:42:45PM +0200, Randolf Skerka wrote:
> > I told you how easy it is for a user to hide himselve from wtmp (ssh -l
> > user xterm) he has an interactive shell, is logged by authlog, ok, but it's
> > unclear if he is logged in at this moment.
>
> Suppose sshd logged in wtmp. Here the X protocol is not routed via the ssh
> connection but goes directly:
>
> xhost + otherhost
> ssh otherhost "xterm -display $DISPLAY < /dev/null >& /dev/null &"
>
> After invoking xterm on the background the ssh session finishes and wtmp
> shows that the user logged out immediately. But the user still has the
> interactive shell.
Then the issue is why you allow that connection out. In any case, not
knowing who is currently logged in can be quite a pain - and when its
actually pretty simple to implement I would like the extra ability to
track my users.
On the non-security side, utmp and wtmp logging provides an easy way to
measure system usage and a way to quickly profile where they log in
from.
Finally, even if they can continue an interactive session, there would
have been at least a small entry in the relevent logfiles - and in the
place most admins expect them.
Andrew Bartlett
abartlet at pcug.org.au
--
Andrew Bartlett
abartlet at pcug.org.au
More information about the openssh-unix-dev
mailing list