From owner-freebsd-questions@FreeBSD.ORG  Sun Jun 19 15:38:51 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: questions@freebsd.org
Delivered-To: freebsd-questions@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B921816A41C
	for <questions@freebsd.org>; Sun, 19 Jun 2005 15:38:51 +0000 (GMT)
	(envelope-from wmoran@potentialtech.com)
Received: from internet.potentialtech.com (internet.potentialtech.com
	[66.167.251.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C0DA43D48
	for <questions@freebsd.org>; Sun, 19 Jun 2005 15:38:51 +0000 (GMT)
	(envelope-from wmoran@potentialtech.com)
Received: from localhost (24-53-250-148.pittpa.adelphia.net [24.53.250.148])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by internet.potentialtech.com (Postfix) with ESMTP id DC0C369A21
	for <questions@freebsd.org>; Sun, 19 Jun 2005 11:38:50 -0400 (EDT)
Date: Sun, 19 Jun 2005 11:38:49 -0400
From: Bill Moran <wmoran@potentialtech.com>
To: questions@freebsd.org
Message-Id: <20050619113849.3ae5cbad.wmoran@potentialtech.com>
Organization: Potential Technologies
X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd5.3)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: 
Subject: Detailed logging of ssh sessions
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jun 2005 15:38:51 -0000


I've been researching this, and so far haven't found a way to do what I
want to do.

I have servers here and there, that should only be accessible by a limited
number of administrators via ssh (i.e. mail and web servers, firewalls).

As an added security measure, I'd like to start logging everything that
happens during any ssh login (since all our work on these machines is
via ssh).  I understand, and frequently use script(1), but I want this
to be required.  I have two goals:
1) If someone manages to guess a password and break in, I want a log
   of what they're doing.
2) I want 100% guarantee that everything we do is recorded, to make
   future debugging of configuration mistakes easier.

I've been researching sshd, and it doesn't seem as if it has this
capability.  Web searches have not yet turned up anything ... I'm guessing
I'm not searching for the right phrases, since I can't believe I'm the
only one doing this.

Any advice or pointers are welcome.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com