Hi all, I am not 100% sure if this is a -dev or a -user topic, but I am leaning towards the former. Feel free to cuss at me and tell me to ask -user, instead. I used to run a patchset that allowed full logs of everything taking place via OpenSSH. This also allowed me to replay any session, live or after the fact. I am fully aware of the security implications of logging everything, especially regarding passwords. Still, in this specific case, I need full logs due to due diligence requirements. Is anyone aware of such a patchset or another way to achieve this goal? Thanks, Richard
On Wed, Jan 11, 2012 at 7:02 AM, Richard Hartmann <richih.mailinglist at gmail.com> wrote:> Hi all, > > I am not 100% sure if this is a -dev or a -user topic, but I am > leaning towards the former. Feel free to cuss at me and tell me to ask > -user, instead. > > > I used to run a patchset that allowed full logs of everything taking > place via OpenSSH. This also allowed me to replay any session, live or > after the fact. > > I am fully aware of the security implications of logging everything, > especially regarding passwords. > > Still, in this specific case, I need full logs due to due diligence > requirements. > > > Is anyone aware of such a patchset or another way to achieve this goal?Talk to Centrify, at www.centrify.com. They've got a fascinating toolkit for integrating Active Directory authentication with Linux and UNIX authentication, and due diligence tools for monitoring nsessions. Can't remember if they modified the sshd this way, but they certainly had tweaked logins for such keystroke monitoring. You might also have a word with Sandstorm Enterprises, the company that makes NetInterceptor about man-in-the-middle against SSH. Their tools are pricey, but scarey useful for due diligence monitoring and debugging. I'm not sure whether they can carry out man-in-the-middle SSH sessions without easy detection.
Richard Hartmann wrote:> * In the shell: > Needs to wrap around all shells or forces us to patch at least zsh and > bash and then thoroughly disable chsh.Did you look at snoopy? //Peter
On Fri, Jan 13, 2012 at 10:35, Peter Stuge <peter at stuge.se> wrote:> Did you look at snoopy?Yes. It logs executions, not in- and output. Richard
I know that this suggestion isn't part of openssh, but I use it daily and it works. Install or use one of the later revs of sudo which incorporates the sudoreplay feature. Make sure the sudoers file is configured to enable capture of i/o. These are the entries I use.. Defaults log_output,log_input Defaults!/usr/bin/sudoreplay !log_output,!log_input Defaults!/usr/sbin/reboot !log_output Then sudo to yourself, and proceed to ssh to wherever you'd like to go. Your entire session will be captured. To list your logs, use sudo sudoreplay -l to replay a session, use sudo sudoreplay sessionid Hope this helps.