Logging of client commands, possible?

[Nicolas Williams]

On Tue, Mar 12, 2002 at 11:58:12AM +0100, RGiersig at a1.net wrote:
> > > I believe one can obfuscate one's tty session such that you 
> > > might not really figure out what was done merely through a
> > > keystroke replay.
> > 
> > Ah, but if the only incoming channel of de-obfuscation code is itself
> > tapped, it's actually provably impossible to successfully 
> > obfuscate the code.

You need to know the state of the host in order to reconstruct fully
what happened given only a keystroke/output log.

> Right, and don't forget that ssh already provides strong 
> authentication, so that should be enough to be able to point a finger 
> at somebody and have the inquisition take over.  "What were you 
> uploading there?"

Yes, obfuscation ought to raise eyebrows. Can you write heuristic
algorithms for detection of obfuscation? I bet most of us humans can
detect obfuscation with sufficient accuracy.

> > As I've been saying, often the "enemy" is lack of documentation and
> > accountability, not an active attacker.  Production machines need 
> > histories of who did what when.

Can't log everything. You cannot know everything there is to know about
your systems.

> That's exactly my point.  Providing a secure, stable, shared computing 
> environment to untrusted users is nearly impossible, so we don't have 
> to go that way (but it's of course interesting to talk about it).  If I 
> had to do this, I'd run multiple virtual machines and give every user 
> her own.  Proper load-balancing and quotas does the rest...

:)

Deterrence through controls, logging and monitoring that enable decent
post-mortems and some IDS along with decent restore capabilities.

> So I'll summarize my wishes:  per-connection logging of what gets sent 
> from the client to the server.  When a connection gets accepted, a 
> logfile is created in a logdir whose filename contains a timestamp, pid 
> of the sshd process that handles the connection, if a terminal is 
> requested, authenticated user name and hostname from where the 
> connection came.  If the session uses a tty, a timestamp is written 
> periodically to the logfile (once a minute) to give an indication what 
> happened when.  X forwarding could be logged the same way, as well as 
> other forwarded ports.

You mean per-channel, per-connection. SSHv2 supports multiple channels
and what not. Do you want to log each packet in cleartext and with
timestamps? Or just a stream of bytes for each channel direction? If the
former then you'll need a replay tool.

> Anybody from the openssh developer team reading this?

I hope so. I do think that channel logging could be very useful.


> Roland
> --
> RGiersig at cpan.org


Cheers,

Nico
-- 
-DISCLAIMER: an automatically appended disclaimer may follow. By posting-
-to a public e-mail mailing list I hereby grant permission to distribute-
-and copy this message.-

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.