Monitoring ssh logins/logouts
Mark Janssen
maniac at maniac.nl
Wed Apr 6 21:56:19 EST 2005
On Wed, 2005-04-06 at 12:40 +0200, Jakob Curdes wrote:
> Hello,
>
> we are trying to monitor ssh logins on security-critical machines with a
> script that scans logfiles for the relevant entries.
> A problem ist that when the ssh connection is closed by a network
> interruption or by closing the window with the ssh client, we do not
> find a corresponding entry in the logs. "last" does not show this
> information either, at least on our systems which are RedHat Linux
> based. Is there any way to record a "User gone" or so ? At a certain
> point, the daemon closes the connection when the client has gone away;
> would it be possible to log this ?
>
> I would be grateful for a hint.
host sshd[pid]: (pam_unix) session opened for user myuser by (uid=0)
host sshd[pid]: (pam_unix) session closed for user myuser
Seems to work here just fine (killing the ssh connection with ~. or with
kill)
Last also logs the logouts here...
myuser pts/4 ip Wed Apr 6 13:53 - 13:53 (00:00)
myuser pts/4 ip Wed Apr 6 13:52 - 13:52 (00:00)
myuser pts/4 ip Wed Apr 6 13:52 - 13:52 (00:00)
This is on a debian system, and using PAM and key-based auth.
--
Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x357D2178 | ,''`. |
Unix / Linux Open-Source and Internet Consultant @ Snow.nl | : :' : |
Maniac.nl MarkJanssen.nl NerdNet.nl Unix.nl | `. `' |
Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet | `- |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20050406/6136e9b4/attachment.bin
More information about the openssh-unix-dev
mailing list