Logging of client commands, possible?
Dan Kaminsky
dan at doxpara.com
Wed Mar 13 01:55:38 EST 2002
> sorry if this has been discussed before, I did a quick search on the
> mailing list but found nothing pertinent.
>
> My question: is it possible to log all data that is sent from the ssh
> client to the sshd server?
>
> Rationale: I'd like to log all commands that users execute when being
> logged in via ssh. And I mean all, as the system in question is a
> sensitive production server, so the shell history isn't quite
> sufficient.
There are TTY snooping apps, but SSH can be used to execute commands without
a TTY. (For example, one can use SSH to execute a non-snooping SSHD that
would escape the TTY sniffer. But that's pretty damn obscure.)
Recording all traffic in and out of SSHD is certainly possible, and for the
highly sensitive environment you refer to, not necessarily a bad idea...
Hmmm. If you need something urgently, some variation on messing around with
script might help. The ugliness of making this happen right is a good sign
that building this into OpenSSH might be the right idea. But:
# mv /bin/csh /bin/csh_real
# cat > /bin/csh
#!/bin/sh
exec script -q /tmp/log.$$ csh_real
# chmod 0755 /bin/csh
...*does* seem to have a useful effect, without involving kernel level
sniffing. There are *all* sorts of problems -- the logs are owned by the
users, the logger shows up and can be killed by the user, and I don't even
want to think about how to trace /bin/sh like that -- but it ain't bad for
about 5 minutes of thought :-)
--Dan
More information about the openssh-unix-dev
mailing list