CentOS - Jan 2012 - 'last' command doesn't include ssh connections made by this perl script?

My home machine has IP 50.54.225.130.  I have (for the purposes of this
experiment) one remote machine at www.peacefire.org (69.72.177.140) and
another at www.junkwhale.com.

When I'm logged in to peacefire, I run this perl script to open an ssh
connection to junkwhale and run a command:

my $hostname="www.junkwhale.com";
my $server_password = "[redacted!]";
use Net::SFTP;
use Net::SSH::Perl;
my $ssh = Net::SSH::Perl->new($hostname);
$ssh->login("root", $server_password);
my($stdout, $stderr, $exit) = $ssh->cmd("pwd");
print "Stdout: $stdout\n";
print "Stderr: $stderr\n";

If I then log in by ssh to junkwhale from my home computer and run
grep 'Accepted password' /var/log/secure
the last two lines are:
Jan  2 13:23:17 e2180-20059 sshd[12635]: Accepted password for root from
69.72.177.140 port 1023 ssh2
Jan  2 13:23:28 e2180-20059 sshd[12684]: Accepted password for root from
50.54.225.130 port 52484 ssh2

which is correct -- the first line is from the perl script connecting from
Peacefire (69.72.177.140) and the second line is for the connection I just
opened from my home computer.

If, however, I run the "last" command, the first two lines are just:
root     pts/0        50-54-225-130.ev Mon Jan  2 13:23   still logged in
root     pts/0        50-54-225-130.ev Mon Jan  2 01:52 - 01:52  (00:00)

In other words, the "last" command doesn't list the connection
opened up by
the Perl script.  It only lists the times that I've connected by opening a
connection manually with my SSH client.  Presumably that means the
connection with the perl script is not being logged in /var/log/wtmp ,
although the contents of the file are binary so I couldn't make much sense
of them directly with a screen dump.

This makes me wonder two things:
1) What is the difference, from the server's point of view, between the
connection opened by the script and the one opened by my ssh client; and
2) More seriously, whatever it is that's different about the connection
opened by the perl script, isn't it a bug that that connection is not
recorded in wtmp?  If admins frequently use the "last" command to
determine
who has logged into the server, couldn't an attacker do this to avoid
detection?

Bennett

On 01/02/2012 03:04 PM, Bennett Haselton wrote:
> My home machine has IP 50.54.225.130.  I have (for the purposes of this
> experiment) one remote machine at www.peacefire.org (69.72.177.140) and
> another at www.junkwhale.com.
In general it is better not to post actual hostnames and IP addresses on
public lists.  Doing so can invite further attacks, particularly if your
posting exposes vulnerabilities in your system.
> When I'm logged in to peacefire, I run this perl script to open an ssh
> connection to junkwhale and run a command:
>
> my $hostname="www.junkwhale.com";
> my $server_password = "[redacted!]";
> use Net::SFTP;
> use Net::SSH::Perl;
> my $ssh = Net::SSH::Perl->new($hostname);
> $ssh->login("root", $server_password);
> my($stdout, $stderr, $exit) = $ssh->cmd("pwd");
> print "Stdout: $stdout\n";
> print "Stderr: $stderr\n";
>
> If I then log in by ssh to junkwhale from my home computer and run
> grep 'Accepted password' /var/log/secure
> the last two lines are:
> Jan  2 13:23:17 e2180-20059 sshd[12635]: Accepted password for root from
> 69.72.177.140 port 1023 ssh2
> Jan  2 13:23:28 e2180-20059 sshd[12684]: Accepted password for root from
> 50.54.225.130 port 52484 ssh2
>
> which is correct -- the first line is from the perl script connecting from
> Peacefire (69.72.177.140) and the second line is for the connection I just
> opened from my home computer.
>
> If, however, I run the "last" command, the first two lines are
just:
> root     pts/0        50-54-225-130.ev Mon Jan  2 13:23   still logged in
> root     pts/0        50-54-225-130.ev Mon Jan  2 01:52 - 01:52  (00:00)
>
> In other words, the "last" command doesn't list the
connection opened up by
> the Perl script.  It only lists the times that I've connected by
opening a
> connection manually with my SSH client.  Presumably that means the
> connection with the perl script is not being logged in /var/log/wtmp ,
> although the contents of the file are binary so I couldn't make much
sense
> of them directly with a screen dump.
>
> This makes me wonder two things:
> 1) What is the difference, from the server's point of view, between the
> connection opened by the script and the one opened by my ssh client; and
> 2) More seriously, whatever it is that's different about the connection
> opened by the perl script, isn't it a bug that that connection is not
> recorded in wtmp?  If admins frequently use the "last" command to
determine
> who has logged into the server, couldn't an attacker do this to avoid
> detection?
The connection opened by the script is not considered an interactive
login on a terminal device and is therefore not reported by last.  Would
be nice if there was a way to have sshd log the command line that was
executed for non-interactive connections, but I don't see a way to do
that.  The reality is that the log files really need to be monitored.

Nataraj

On Mon, Jan 02, 2012 at 03:04:07PM -0800, Bennett Haselton
wrote:
> This makes me wonder two things:
> 1) What is the difference, from the server's point of view, between the
> connection opened by the script and the one opened by my ssh client; and
Spot the difference between
  ssh remotemachine
and
  ssh remotemachine echo hello

The first is a login (shows up in "last"), the second is not.   Your
perl
script does the moral equivalent of the second.

-- 

rgds
Stephen