sftp and wtmp support

Heikki Orsila heikki.orsila at iki.fi
Sat Dec 5 23:00:37 AEDT 2020

On Thu, Dec 03, 2020 at 01:55:06PM -0700, Bob Proulx wrote:
> Heikki Orsila wrote:
> > Bob Proulx wrote:
> > > I am scanning the /var/log/auth.log file for this information.  That's
> > > where the information is logged.
> > 
> > Do you have this tool available somewhere?
> My use is ad-hoc scanning with awk, grep, sed, perl.  So not really a
> general purpose tool.  But the format is simple and not too difficult.
> Here is example.  This might not be completely correct but it has been
> sufficient for my needs.  YMMV.
>     Dec  2 18:58:55 havoc sshd[24031]: Accepted publickey for teaclub from port 44854 ssh2: RSA SHA256:Nab5H8iLOWfU704AhqiYQkiX8T5ADv2a83uCw/vQLL0
>     Dec  2 18:58:55 havoc sshd[24031]: pam_unix(sshd:session): session opened for user teaclub by (uid=0)
> The sshd is recording the process that is now parenting that process
> tree.  In this case it is 24031.  Then that same process is logged
> through PAM starting a session.  Then later that session is closed.
>     Dec  2 20:18:26 havoc sshd[24031]: pam_unix(sshd:session): session closed for user teaclub
> In my case I am tracking only public key logins.  I have a perl script
> which reads the log file line by line.  It looks for lines that match
> the /Accepted publickey for/ pattern.  It extracts the sshd pid.  It
> then reads line looking for that sshd pid looking for the session
> open.  And then later for the session close.  (Note that after the
> session is closed the pid may be reused.)  The session open and close
> information logged there provides the information I needed.

Thanks, Bob! It seems you have implemented the option 1 in the
original question.

- Heikki

More information about the openssh-unix-dev mailing list