Hello OpenSSH developers and users! My client uses wtmp information to determine past logins though ssh into their production environment. It seems sftp does not write into wtmp, and thus, it is not possible to list past sftp sessions. To make this happen I can see several options: 1. We write a custom tool to analyze auth.log to determine past sessions. This is not useful for ssh community in general. 2. We create an sftp wrapper tool that writes to wtmp and executes sftp-server by setting "Subsystem sftp /usr/lib/openssh/sftp-server" as the wrapper executable in sshd_config. 3. We write an extension to sshd that can be enabled with a configuration variable that instructs sftp to write to wtmp so that it would do it by default. Are there concerns about option 3? Could such a feature be accepted into sftp? Thanks! Best regards, Heikki Orsila
On Tue, 1 Dec 2020, Heikki Orsila wrote:> It seems sftp does not write into wtmp, andThat?s correct; wtmp is for (pseudo?)terminal logins. bye, //mirabilos -- 15:41?<Lo-lan-do:#fusionforge> Somebody write a testsuite for helloworld :-)
On Tue, Dec 01, 2020 at 06:09:00PM +0200, Heikki Orsila wrote:> Hello OpenSSH developers and users! > > My client uses wtmp information to determine past logins though ssh into > their production environment. It seems sftp does not write into wtmp, andYou'll also find things like ssh remotehost /bin/sh -i also don't write to wtmp. wtmp is totally unsuitable to be used as a tool to determine past logins. -- rgds Stephen
Heikki Orsila wrote:> My client uses wtmp information to determine past logins though ssh into > their production environment. It seems sftp does not write into wtmp, and > thus, it is not possible to list past sftp sessions. To make this happen > I can see several options: > > 1. We write a custom tool to analyze auth.log to determine past sessions. > This is not useful for ssh community in general.I am scanning the /var/log/auth.log file for this information. That's where the information is logged. Bob
Hello OpenSSH developers and users, I implemented a tool that logs SFTP sessions into wtmp on GNU/Linux. The tool makes SFTP sessions visible for commands like w and last. It is available at: https://github.com/Seravo/openssh-sftp-logging I would be interested in hearing your comments. Please try it! Please report if you need it or can't use it. I'm interested in fixing any issues. This is the option 2 in the message that started this thread. In longer term, if there is interest for this feature, I would like to implement option 3 as a configuration in ssh server. All sessions should be optionally loggable (based on a configuration variable). Best regards, Heikki Orsila