Logging of client commands, possible?

[RGiersig at a1.net]

> > Using System Auditing Reports is the only sane way of doing 
> > this.  As it was pointed out in secureshell@
> 
> I'm not sure it's sane, but it's definitely the "correct" method.  
> Correct doesn't mean usable, though.
> 
> Enforcing accountability among trusted peers is often even more 
> importantthan maintaining security -- when something breaks, first 
> you want to know
> who broke it, then you want to know what they did to cause the break.

Right.  I concurr that SARs are the correct way to do this and even 
tried to set them up, but alas, configuration was a nightmare and 
usability was abysmal.

I haven't looked into TTY auditing, that of course would be the best 
thing if the kernel gives you the possibility to log what is sent via a 
pseudo-terminal.  But I don't think that that there are many OSes with 
that ability...

> I consider this request somewhat orthogonal to the security 
> aspects of SSH -- it's a trait of the shell environment that
> the admin would like SSH to securely provide, rather than
> a trait of the security SSH is applying to the system.

You are right of course, but given that SSHD is a single point of 
authenticated data flow, adding logging to SSHD gives maximum 
flexibility.  Instead of having to enforce the usage of a certain shell 
that does logging and thus restricting the users choices (one user 
wants bash, that one zsh, that one ksh...) I simply log what the client 
sends to the server.  This also includes what gets sent via 'scp', so 
that whiterabbit.sh gets logged too.  Of course there are a lot of 
holes to be plugged, port-forwarding for example, to make this hacker-
proofed...

As of orthogonal, I don't think so.  SSH is very strong on 
authorisation, why should auditing be left out?

Anyway, what's the chance that a patch for logging would be accepted 
and incorporated?

Cheers!

Roland
--
RGiersig at cpan.org