From owner-freebsd-questions@FreeBSD.ORG Sun Jun 19 22:48:23 2005 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AEDE916A41C for ; Sun, 19 Jun 2005 22:48:23 +0000 (GMT) (envelope-from wmoran@potentialtech.com) Received: from internet.potentialtech.com (internet.potentialtech.com [66.167.251.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E06343D1F for ; Sun, 19 Jun 2005 22:48:23 +0000 (GMT) (envelope-from wmoran@potentialtech.com) Received: from localhost (24-53-250-148.pittpa.adelphia.net [24.53.250.148]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by internet.potentialtech.com (Postfix) with ESMTP id 927B369A21; Sun, 19 Jun 2005 18:48:22 -0400 (EDT) Date: Sun, 19 Jun 2005 18:48:21 -0400 From: Bill Moran To: Alex Zbyslaw Message-Id: <20050619184821.7d39f89c.wmoran@potentialtech.com> In-Reply-To: <42B5EA8D.2050209@dial.pipex.com> References: <20050619113849.3ae5cbad.wmoran@potentialtech.com> <42B5EA8D.2050209@dial.pipex.com> Organization: Potential Technologies X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd5.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: questions@freebsd.org Subject: Re: Detailed logging of ssh sessions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2005 22:48:23 -0000 Alex Zbyslaw wrote: > Bill Moran wrote: > > >I'd like to start logging everything that > >happens during any ssh login (since all our work on these machines is > >via ssh). I understand, and frequently use script(1), but I want this > >to be required. I have two goals: > >1) If someone manages to guess a password and break in, I want a log > > of what they're doing. > >2) I want 100% guarantee that everything we do is recorded, to make > > future debugging of configuration mistakes easier. > > > >I've been researching sshd, and it doesn't seem as if it has this > >capability. > > I think you're looking in the wrong place for this functionality. SSH > is just a point-to-point connector. The functionality you want should > come in some way from the login shell. I suspected that might be the way to go, but I've been unable to get anything working so far. > If you really want this to be secure, the log files ought to be on a > read-only medium. If someone hacks root they can delete the trace Logging is done both on and off-machine (i.e. syslog logs locally, and sends the logs to a dedicated logging machine as well) As long as I can use syslog for the logging, I've got my secure logs. -- Bill Moran Potential Technologies http://www.potentialtech.com