Log ssh sessions using open source tools

Philipp Marek philipp at marek.priv.at
Sun Nov 4 06:31:57 AEDT 2018


Well, one way might be to have strace active on the ssh process. You can only log program executions like this:

  strace -f -p <pid of process> -v -e execve -o <logfile>

Though you'll need'l to know the parent/child relationships and user IDs, as well as file descriptors, so there should be fork,clone,open,close,openat,dup,dup2,setuid,seteuid,setreuid and perhaps a few others in the set of traced syscalls.

I guess that a "restricted shell" might be another way; or, if you have cooperation of the users involved, a simple "force-command" involving "script" (1) might work as well.

If you are not sure about users' cooperation, you'll need some protected process - like the strace running as uid 0.


More information about the openssh-unix-dev mailing list