From owner-freebsd-questions@FreeBSD.ORG Tue Oct 25 23:52:44 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7855A16A41F for ; Tue, 25 Oct 2005 23:52:44 +0000 (GMT) (envelope-from user@dhp.com) Received: from shell.dhp.com (shell.dhp.com [199.245.105.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1936C43D48 for ; Tue, 25 Oct 2005 23:52:44 +0000 (GMT) (envelope-from user@dhp.com) Received: by shell.dhp.com (Postfix, from userid 896) id C2E7431359; Tue, 25 Oct 2005 19:52:42 -0400 (EDT) Date: Tue, 25 Oct 2005 19:52:42 -0400 (EDT) From: user To: "Andrew P." In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-questions@freebsd.org Subject: Re: traffic accounting per username with ipfw in 5.4 ? (more) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2005 23:52:44 -0000 On Tue, 25 Oct 2005, Andrew P. wrote: > ipfw looks at the owner of a process, sshd in your > case. If you really need to account the not-locally- > initiated ssh traffic, start another sshd running as > the user (on another port), and connect to that > port [you can easily allow a user to connect only > to a selected server by editing sshd_config's]. > > Anyway, try thinking logically. How ipfw could > ever know what user traffic belongs to if all > authentication is handled by sshd internally. > Otherwise, it would be a security whole (though > some actions can certainly be logged to limited- > access log files). > > Hassle-free solutions, i.e. complex accounting > systems, come for money. Though, whatever > problem you might have, I'm sure somehow that > there's another way. I am open to suggestions :) Basically I have a system that is accessible via ssh _only_, and I need to find out how much ssh traffic each individual user is generating (both send and receive) over ssh. There are a large enough population of users that one sshd/user is not workable. So, it turns out there is a patch for openSSH that does per-user traffic accounting, which makes sense, since the sshd does know all that I am trying to ask of it. The only drawbacks are, the patch is unsupported (apparently the openssh developer is philosophically opposed to traffic counting in sshd (?)), and it does not count aborted transactions (so you could upload a few gigs, and then drop off, and that doesn't get counted). So that is one solution ... can you think of any other ways to count per-user traffic, if it is a given that it is all only ssh ? thanks.