Logging of client commands, possible?

Nicolas Williams Nicolas.Williams at ubsw.com
Tue Mar 12 04:34:49 EST 2002

On Mon, Mar 11, 2002 at 05:43:06PM +0100, RGiersig at a1.net wrote:
> I haven't looked into TTY auditing, that of course would be the best 
> thing if the kernel gives you the possibility to log what is sent via a 
> pseudo-terminal.  But I don't think that that there are many OSes with 
> that ability...

There's no technical reason why sshd couldn't implement TTY logging.

> > I consider this request somewhat orthogonal to the security 
> > aspects of SSH -- it's a trait of the shell environment that
> > the admin would like SSH to securely provide, rather than
> > a trait of the security SSH is applying to the system.
> You are right of course, but given that SSHD is a single point of 
> authenticated data flow, adding logging to SSHD gives maximum 
> flexibility.  Instead of having to enforce the usage of a certain shell 
> that does logging and thus restricting the users choices (one user 
> wants bash, that one zsh, that one ksh...) I simply log what the client 
> sends to the server.  This also includes what gets sent via 'scp', so 
> that whiterabbit.sh gets logged too.  Of course there are a lot of 
> holes to be plugged, port-forwarding for example, to make this hacker-
> proofed...

You're saying that with you'd really like to be able to get detailed
activity logs sorted by session and that makes you think that sshd is
the right place to build in the necessary technology.

There is only one way to safely get detailed activity logs and that's
throguh kernel hooks (that's part of what BSM auditing does on Solaris,
for example). But you could kluge it by using library interposition
techniques, e.g., through an LD_PRELOADable object that wraps around all
the system calls and library routines that you care about - then sshd's
only role would be to enforce the LD_PRELOAD setting (you can also use
library filters and eschew LD_PRELOAD).

Regardless, activity logging, other than TTY logging, doesn't belong in
sshd, and tty logging can be done externally to sshd, with varying
degrees of difficulty depending on what facilities the OS provides.

> As of orthogonal, I don't think so.  SSH is very strong on 
> authorisation, why should auditing be left out?

Whose job is it to log what activity? How can sshd log what children
processes are doing? By tracing them? Keep dreaming - that would be
double plus unfun. See above about session-sorting sar and also see
above about logging through library filtering.

> Anyway, what's the chance that a patch for logging would be accepted 
> and incorporated?
> Cheers!
> Roland
> --
> RGiersig at cpan.org


-DISCLAIMER: an automatically appended disclaimer may follow. By posting-
-to a public e-mail mailing list I hereby grant permission to distribute-
-and copy this message.-

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

More information about the openssh-unix-dev mailing list