Log ssh sessions using open source tools

Vincenzo Romano vincenzo.romano at notorand.it
Sun Nov 4 21:11:51 AEDT 2018


Il giorno sab 3 nov 2018 alle ore 20:12 Joseph S. Testa II
<jtesta at positronsecurity.com> ha scritto:
>
> Hi Kaushal,
>
>     I'm the author of ssh-mitm (https://github.com/jtesta/ssh-mitm),
> which is a penetration testing tool for man-in-the-middling SSH connections.
>
>     If you can ARP spoof a client (or otherwise route connections for
> them), and if they ignore the changed host-key warning, then you can
> record the full connection stream.  You will log their passwords as well
> (it doesn't work for key authentication, though).  Full SFTP traffic is
> captured too.
>
>     It might be overkill for what you're trying to do, but I thought I'd
> mention it.
>
>     - Joe
>
> --
> Joseph S. Testa II
> Founder & Principle Security Consultant
> Positron Security
>
>
> On 11/3/18 1:08 PM, Kaushal Shriyan wrote:
> > Hi,
> >
> > Are there any open source tools to keep track of ssh sessions? For example,
> > if a specific user is ssh logging to remote server and what commands or
> > scripts are being run. Basically, i need to log all users sessions.
> >
> > Thanks in Advance and i look forward to hearing from you.
> >
> > Best Regards,
> >
> > Kaushal

Normally the ssh daemon can log a lot of details of an ssh session,
like authentication type, source IP, user name, spawned shell and the
likes.

What you are talking about is shell-related and won't be logged by a
normal ssh daemon.
You'd spoof on they pseudo-tty in order to record a full user tty
session and is thus off-topic here.

The MITM approach is something that surely works, at the price of
making ssh security and privacy more similar to those of telnet.
And the users will know you are eavesdropping on their sessions.

-- 
Vincenzo Romano - NotOrAnd.IT
Information Technologies
--
NON QVIETIS MARIBVS NAVTA PERITVS


More information about the openssh-unix-dev mailing list