Logging of client commands, possible?

[Dan Kaminsky]

> So I'll summarize my wishes:  per-connection logging of what gets sent
> from the client to the server.

I get the off feeling you wouldn't mind logging what the server sends back
to the client ;-)

>  When a connection gets accepted, a
> logfile is created in a logdir whose filename contains a timestamp, pid
> of the sshd process that handles the connection, if a terminal is
> requested, authenticated user name and hostname from where the
> connection came.  If the session uses a tty, a timestamp is written
> periodically to the logfile (once a minute) to give an indication what
> happened when.  X forwarding could be logged the same way, as well as
> other forwarded ports.

I'm thinking more about leaving the exact configuration of the log format up
to sshd_config, complete with variable completion.  Beyond dumping to a
file, it might be useful to specify a command which is executed for each
incoming SSH connection that gets piped the traffic of the TTY.  One could
imagine an off-host backup of all communication through that host.

Only problem is that this is a beautiful, beautiful method for capturing the
passwords of those who chain their SSH connections(type the password to
host2 into host1).  This is a *huge* problem with SSH in practical usage,
and while it's completely unnecessary, the behavior isn't convenient enough
to eliminate yet.

Of course, black hats aren't having any problem making trojan builds, now
are they.

--Dan