Log ssh sessions using open source tools

Konrad Bucheli kb at open.ch
Wed Mar 20 00:01:40 AEDT 2019


Hi

Thank you for the audit.
This issue has been rectified in the release v0.8.

Regards

Konrad

On 22.11.18 15:38, halfdog wrote:
> Hello,
> 
> Konrad Bucheli writes:
>> Hi,
>>
>> Did you check out log-user-session [1]? It can be used to record
>> the output of ssh shell sessions in a tamper-prof way. And
>> it is open source.
>> ...
>> [1] https://github.com/open-ch/log-user-session
> 
> Well, using a SUID-binary in that way partially eliminates the
> benefits of tamper-proof logging by increasing the attack surface,
> e.g. by allowing each user to create arbitrary files using directory
> traversal and symlink attacks, e.g. by calling
> 
> SSH_CLIENT="169.254.0.1/../../../../tmp/ 1234 22" /usr/local/bin/log-user-session 'echo "* * * * * root /usr/bin/touch /dead.txt"'
> 
> to start the directory traversal and lead to the problematic open
> missing O_NOFOLLOW
> 
> 5885  openat(AT_FDCWD, "/var/log/user-session/localhost-build-20181122-140817-169.254.0.1/../../../../tmp/-5883.log", O_WRONLY|O_CREAT|O_APPEND, 0400) = 3
> 
> Without symlink protection, linking the "-[guessable pid].log" file
> to "/etc/cron.d/dead" will give you root easily. Even with protection,
> something should be possible ...
> 
> 
> 
> I am currently also writing a tool for a similar reason. To be
> really tamper-proof, my solution is preloaded into SSH to intercept
> the encryption master key for each session, sends it to a daemon,
> that will use a public key to encrypt it and offload it to another
> machine. Together with the full-packet-captures of all SSH connections
> done by the network infrastructure, I would hope for a tamper-proof
> but still secure solution BUT (ha, ha, ha) - it is not ready yet.
> 
> Best regards,
> hd
> 
>> Am 03.11.18 um 18:08 schrieb Kaushal Shriyan:
>>> Hi,
>>>
>>> Are there any open source tools to keep track of ssh sessions?
>>> For example, if a specific user is ssh logging to remote server
>>> and what commands or scripts are being run. Basically, i need
>>> to log all users sessions.
>>>
>>> Thanks in Advance and i look forward to hearing from you.
>>>
>>> Best Regards,
>>>
>>> Kaushal _______________________________________________
>>> openssh-unix-dev mailing list openssh-unix-dev at mindrot.org
>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev?mc_phishing_protection_id=45427-bfetfluuab2o0p3j90ng
>>>
>>
>> -- konrad bucheli principal systems engineer
>>
>> open systems ag raeffelstrasse 29 ch-8045 zurich
>>
>> t: +41 58 100 10 10 f: +41 58 100 10 11 kb at open.ch
>>
>> http://www.open.ch
> 
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev?mc_phishing_protection_id=45427-bfrc16muab2oqau9t3cg
> 

-- 
konrad bucheli
principal systems engineer

open systems ag
raeffelstrasse 29
ch-8045 zurich

t: +41 58 100 10 10
f: +41 58 100 10 11
kb at open.ch

http://www.open.ch

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4238 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20190319/9883f3ed/attachment.p7s>


More information about the openssh-unix-dev mailing list