Logging enhancement

Jim Knoble jmknoble at pobox.com
Thu Apr 26 03:01:23 EST 2007


Circa 2007-04-24 19:44 dixit Anderson Russell D (Andy):

: I would like to suggest a logging enhancement that would contribute
: greatly to access auditing.
: 
: Currently nothing is logged when a user connects to another server as a
: different user.
: 
: The auditing trail is broken for tracing access.
: 
: userA> ssh userB at hostB
: 
: A simple syslog addition (for example) to ssh.c closes that gap.
:         [...]

And what if the user logs into a remote system using an ssh program they
compiled themselves which doesn't have that logging bit in it?

    userA at hostA$ /path/to/my/own/ssh userB at hostB

At the very least, you'll need to track every command run by every user,
including its environment (PATH, other environment variables that can
control program behavior, including LD_PRELOAD on appropriate systems).

Furthermore, what if the user sets up a tunneled connection to hostB via
hostA and logs into hostB over that connection?

    user5 at hostQ$ ssh -f -N -L 23456:hostB:22 userA at hostA
    user5 at hostQ$ ssh -p 23456 userB at hostB

Now command logging doesn't even help, unless you can log commands run
on hostQ as well.

You're probably better off forcing users to use public key
authentication only, controlling the contents of ~/.ssh/authorized_keys
on the hosts on your network, setting sshd's LogLevel to VERBOSE, and
using the fingerprints logged by sshd to tell who logged into where from
where.  

Maybe look into whether using Kerberos and GSSAPI authentication can
help you.

You'll need policies to deal with things like users allowing use of
their accounts or credentials by someone else as well.

-- 
jim knoble  |  jmknoble at pobox.com  |  http://www.pobox.com/~jmknoble/
(GnuPG key ID: 6F39C2CC  >>>>>>  http://www.pobox.com/~jmknoble/keys/ )
(GnuPG fingerprint: 5024:D578:7CF4:5660:7269::F6F3:B919:9307:6F39:C2CC)
+----------------------------------------------------------------------+
|[L]iberty, as we all know, cannot flourish in a country that is perma-|
| nently on a war footing, or even a near-war footing.  --Aldous Huxley|
+----------------------------------------------------------------------+


More information about the openssh-unix-dev mailing list