Logging of client commands, possible?
Ben Lindstrom
mouring at etoh.eviladmin.org
Tue Mar 12 01:56:47 EST 2002
On Tue, 12 Mar 2002, Dan Kaminsky wrote:
> > sorry if this has been discussed before, I did a quick search on the
> > mailing list but found nothing pertinent.
> >
> > My question: is it possible to log all data that is sent from the ssh
> > client to the sshd server?
> >
> > Rationale: I'd like to log all commands that users execute when being
> > logged in via ssh. And I mean all, as the system in question is a
> > sensitive production server, so the shell history isn't quite
> > sufficient.
>
> There are TTY snooping apps, but SSH can be used to execute commands without
> a TTY. (For example, one can use SSH to execute a non-snooping SSHD that
> would escape the TTY sniffer. But that's pretty damn obscure.)
>
> Recording all traffic in and out of SSHD is certainly possible, and for the
> highly sensitive environment you refer to, not necessarily a bad idea...
>
> Hmmm. If you need something urgently, some variation on messing around with
> script might help. The ugliness of making this happen right is a good sign
> that building this into OpenSSH might be the right idea. But:
>
> # mv /bin/csh /bin/csh_real
> # cat > /bin/csh
> #!/bin/sh
> exec script -q /tmp/log.$$ csh_real
> # chmod 0755 /bin/csh
>
> ...*does* seem to have a useful effect, without involving kernel level
> sniffing. There are *all* sorts of problems -- the logs are owned by the
> users, the logger shows up and can be killed by the user, and I don't even
> want to think about how to trace /bin/sh like that -- but it ain't bad for
> about 5 minutes of thought :-)
>
Problems like someone uploading a shell script called 'whiterabit.sh'
and then running it? And at the end of the script it removes itself?
Using System Auditing Reports is the only sane way of doing this. As
it was pointed out in secureshell@
- Ben
More information about the openssh-unix-dev
mailing list