Selective and efficient logging of auth/connection information

[Christian Winter]

Hello everyone,

this is my first mail to the list, please forgive me if some of my
questions have been asked before. I'm currently thinking about a way to
implement an efficient logging method for authentication results together
with client connection info on my linux boxes. My aim is to circumvent
expensive and delayed mechanisms like tail()ing syslog to get to the
required info and be able to take appropriate action (like blocking
a host via the firewall) as quick as possible.

So I thought about implementing a simple daemon that listens on a
Unix Fifo and gets fed the neccessary parts from opensshd in a concise
single-line format. The reason for using a Fifo is simply speed, but
I'm not hundred percent sure yet whether a local socket might be a
better approach (have to play the different locking/blocking/timing
scenarios through my head). Digging through the sources I stumbled over
the audit modules and thought about hooking into that, but it seems that
there are two downsides to that approach:
- It looks as if audit doesn't really have access to the client connection
  information at the time it can log connection info
- I don't see a way to add configuration parameters for audit modules
  to sshd_config without patching the main source (readconf/serverconf)

But maybe the things I want are already there and I'm just overlooking
them, if I do so I'd be grateful for any pointers in the right direction.
If it's not there, I'd be willing to invest some time to add the neccessary
functionality and would welcome all thoughts about the correct approach.

Best Greetings
-Chris