Is there a way to log a entire lsh session; all input and output?
Esben Stien executiv@online.no writes:
Is there a way to log a entire lsh session; all input and output?
The terminal input and output? There are no special lsh features for that. But you can use the good old "script" program.
Regards, /Niels
Esben Stien executiv@online.no writes:
nisse@lysator.liu.se (Niels Möller) writes:
The terminal input and output? There are no special lsh features for that. But you can use the good old "script" program.
Yes, but I want to use this for logging user ssh sessions.
You might be able to write some wrapper script or program to do that.
Actually, there's no system-wide configuration whatsoever for lsh (if you don't count compile time options). I tend to think about the it (the client program, that is) as a plain user program, not a system service.
/Niels
nisse@lysator.liu.se (Niels Möller) writes:
Actually, there's no system-wide configuration whatsoever for lsh (if you don't count compile time options). I tend to think about the it (the client program, that is) as a plain user program, not a system service.
I kind of figured this as an option for lshd, not the client. I want to log all inbound ssh sessions on this computer. It would just write a file with data from each connection. It would be a nice feature though. Don't you think?
Esben Stien executiv@online.no writes:
I kind of figured this as an option for lshd, not the client.
It would help if you spelled out precisely what it is you want; it's hard to guess that "log a entire lsh session" means a server-side configuration for lshd to log everybody's incoming ssh sessions.
Do you want all sessions, or just sessions that have a terminal and can be considered interactive? Logging rsync or sftp over lsh may not be a good idea.
I'm afraid there's no such flag in current lshd. The FascistLogging option of ssh1 is the closest thing I've heard of, but I've never tried it so I don't know exactly what it logs.
You may be able to do what you want by using a custom login shell, but it's probably not trivial to get it to work reliably and securely.
It would be a nice feature though. Don't you think?
No, I don't think so. You may be able to change my mind by providing a reasonable usage scenario where the option really is useful.
Regards, /Niels
nisse@lysator.liu.se (Niels Möller) writes:
It would help if you spelled out precisely what it is you want; it's hard to guess that "log a entire lsh session" means a server-side configuration for lshd to log everybody's incoming ssh sessions.
Sorry, I should have been more precise
Do you want all sessions, or just sessions that have a terminal and can be considered interactive? Logging rsync or sftp over lsh may not be a good idea.
I just want to log incoming interactive sessions that have a terminal. I have a great deal many users on my system and I want to log their activity. That meaning, logging all input and output on the terminal.
It would be a nice feature though. Don't you think?
No, I don't think so. You may be able to change my mind by providing a reasonable usage scenario where the option really is useful.
Do you think the description above is sufficient?. I just want to log the users. Is this the wrong way to go about it?
Esben Stien executiv@online.no writes:
I just want to log incoming interactive sessions that have a terminal. I have a great deal many users on my system and I want to log their activity. That meaning, logging all input and output on the terminal.
I hope you have a good reason for doing that, but in general, I'd expect the user's terminal session to be private. Exceptions to that rule seem too rare to motivate an lshd option for logging terminal sessions.
The easiest way I can come up with is a custom login shell, which would do something like
#! /bin/sh
# Real shell SHELL=/bin/bash export SHELL
if [ -n "$SSH_TTY" ] ; then unexport SSH_TTY exec script /var/log/foo-$USER-$$ else exec $SHELL "$@" fi
Install the script in /etc/passwd, or use the experimental --login-shell option to lshd. You may have to use a special setuid script program if you also want to prevent users from manipulating the script process or deleting the resulting logs.
Regards, /Niels