From owner-freebsd-questions@FreeBSD.ORG Sun Jun 19 21:58:39 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA72616A41C for ; Sun, 19 Jun 2005 21:58:39 +0000 (GMT) (envelope-from xfb52@dial.pipex.com) Received: from smtp-out4.blueyonder.co.uk (smtp-out4.blueyonder.co.uk [195.188.213.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 59D5E43D4C for ; Sun, 19 Jun 2005 21:58:38 +0000 (GMT) (envelope-from xfb52@dial.pipex.com) Received: from [82.41.37.55] ([82.41.37.55]) by smtp-out4.blueyonder.co.uk with Microsoft SMTPSVC(5.0.2195.6713); Sun, 19 Jun 2005 22:59:18 +0100 Message-ID: <42B5EA8D.2050209@dial.pipex.com> Date: Sun, 19 Jun 2005 22:58:37 +0100 From: Alex Zbyslaw User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-GB; rv:1.7.8) Gecko/20050530 X-Accept-Language: en, en-us, pl MIME-Version: 1.0 To: Bill Moran References: <20050619113849.3ae5cbad.wmoran@potentialtech.com> In-Reply-To: <20050619113849.3ae5cbad.wmoran@potentialtech.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 19 Jun 2005 21:59:18.0684 (UTC) FILETIME=[2432DDC0:01C5751A] Cc: questions@freebsd.org Subject: Re: Detailed logging of ssh sessions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2005 21:58:39 -0000 Bill Moran wrote: >I'd like to start logging everything that >happens during any ssh login (since all our work on these machines is >via ssh). I understand, and frequently use script(1), but I want this >to be required. I have two goals: >1) If someone manages to guess a password and break in, I want a log > of what they're doing. >2) I want 100% guarantee that everything we do is recorded, to make > future debugging of configuration mistakes easier. > >I've been researching sshd, and it doesn't seem as if it has this >capability. > I think you're looking in the wrong place for this functionality. SSH is just a point-to-point connector. The functionality you want should come in some way from the login shell. Whether some shell out there already does this, or whether you could just use script itself somehow, I couldn't tell you. I'd just experiment with using script in some way -- perhaps writing a C program to be the shell which forks and execs script with suitable parameters such as a filename based on the date, tty, user etc. Or starting with script and modifying it to work as a login shell which did that stuff. If you really want this to be secure, the log files ought to be on a read-only medium. If someone hacks root they can delete the trace --Alex