Logging of client commands, possible?

RGiersig at a1.net RGiersig at a1.net
Tue Mar 12 21:58:12 EST 2002 

> > I believe one can obfuscate one's tty session such that you 
> > might not really figure out what was done merely through a
> > keystroke replay.
> 
> Ah, but if the only incoming channel of de-obfuscation code is itself
> tapped, it's actually provably impossible to successfully 
> obfuscate the code.

Right, and don't forget that ssh already provides strong 
authentication, so that should be enough to be able to point a finger 
at somebody and have the inquisition take over.  "What were you 
uploading there?"

> > I think a tty-log plus a history of exec*()s and open()s and 
> > creat()s> and so on would be a rather complete record, yes. But 
> > ultimately a sufficiently nasty and savvy user can get 'round
> > such logging (though the obfuscation necessary might itself
> > raise enough red flags that you could catch such a user).
> 
> As I've been saying, often the "enemy" is lack of documentation and
> accountability, not an active attacker.  Production machines need 
> histories of who did what when.

That's exactly my point.  Providing a secure, stable, shared computing 
environment to untrusted users is nearly impossible, so we don't have 
to go that way (but it's of course interesting to talk about it).  If I 
had to do this, I'd run multiple virtual machines and give every user 
her own.  Proper load-balancing and quotas does the rest...

So I'll summarize my wishes:  per-connection logging of what gets sent 
from the client to the server.  When a connection gets accepted, a 
logfile is created in a logdir whose filename contains a timestamp, pid 
of the sshd process that handles the connection, if a terminal is 
requested, authenticated user name and hostname from where the 
connection came.  If the session uses a tty, a timestamp is written 
periodically to the logfile (once a minute) to give an indication what 
happened when.  X forwarding could be logged the same way, as well as 
other forwarded ports.

Anybody from the openssh developer team reading this?

Roland
--
RGiersig at cpan.org

More information about the openssh-unix-dev mailing list