[Bug 2503] New: The sshd log files are insufficient to detect sessions

Fri Nov 20 22:16:30 AEDT 2015

https://bugzilla.mindrot.org/show_bug.cgi?id=2503

            Bug ID: 2503
           Summary: The sshd log files are insufficient to detect sessions
           Product: Portable OpenSSH
           Version: 7.1p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: felix-mindrot at fefe.de

I am working on a software for log file analysis, and one of the ideas
is to identify active sessions on a system so the software can warn if
something is running as a user on a system when that user is not logged
in.

Here is a typical log output from sshd (the portable version) on my
Linux server:

Nov 20 12:00:42 ptrace sshd[27769]: Accepted publickey for leitner from
[ip] port 41122 ssh2: ED25519 [fingerprint]
Nov 20 12:00:51 ptrace sshd[27773]: Received disconnect from [ip]: 11:
disconnected by user

Note how there is insufficient information here to link these two log
entries. The PID of sshd is different, and the IP alone is not
sufficient to link the entry. There could be more than one login from
that IP.

Adding the user name that is disconnecting would help, but it would
still be more of a heuristic than a real link. Suggestion: Add the port
to the disconnect message. Or make sure both the accept and disconnect
messages come from the same PID. Or put a unique session ID in the
messages so collation is possible. Or all of the above :-)

Note that the problem goes away if you use PAM, because PAM does
additional logging on top of what sshd does. However, PAM is not
mandatory (I don't use PAM here), and I think it should be possible to
do this kind of analysis even without PAM. Otherwise why do we have
sshd logs in the first place?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.