Mailing List Archive: sftp and wtmp support

sftp and wtmp support

heikki.orsila at iki

Dec 1, 2020, 8:09 AM

Post #1 of 7 (827 views)

Hello OpenSSH developers and users!

My client uses wtmp information to determine past logins though ssh into
their production environment. It seems sftp does not write into wtmp, and
thus, it is not possible to list past sftp sessions. To make this happen
I can see several options:

1. We write a custom tool to analyze auth.log to determine past sessions.
This is not useful for ssh community in general.

2. We create an sftp wrapper tool that writes to wtmp and executes sftp-server
by setting "Subsystem sftp /usr/lib/openssh/sftp-server" as the
wrapper executable in sshd_config.

3. We write an extension to sshd that can be enabled with a configuration
variable that instructs sftp to write to wtmp so that it would do it by
default.

Are there concerns about option 3? Could such a feature be accepted into
sftp?

Thanks!

Best regards,

Heikki Orsila
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: sftp and wtmp support [ In reply to ]

t.glaser at tarent

Dec 1, 2020, 8:19 AM

Post #2 of 7 (827 views)

On Tue, 1 Dec 2020, Heikki Orsila wrote:

> It seems sftp does not write into wtmp, and

That’s correct; wtmp is for (pseudo?)terminal logins.

bye,
//mirabilos
--
15:41?<Lo-lan-do:#fusionforge> Somebody write a testsuite for helloworld :-)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: sftp and wtmp support [ In reply to ]

lists at spuddy

Dec 1, 2020, 8:28 AM

Post #3 of 7 (827 views)

On Tue, Dec 01, 2020 at 06:09:00PM +0200, Heikki Orsila wrote:
> Hello OpenSSH developers and users!
>
> My client uses wtmp information to determine past logins though ssh into
> their production environment. It seems sftp does not write into wtmp, and

You'll also find things like
ssh remotehost /bin/sh -i
also don't write to wtmp.

wtmp is totally unsuitable to be used as a tool to determine past logins.

--

rgds
Stephen
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: sftp and wtmp support [ In reply to ]

Dec 2, 2020, 1:08 PM

Post #4 of 7 (824 views)

Heikki Orsila wrote:
> My client uses wtmp information to determine past logins though ssh into
> their production environment. It seems sftp does not write into wtmp, and
> thus, it is not possible to list past sftp sessions. To make this happen
> I can see several options:
>
> 1. We write a custom tool to analyze auth.log to determine past sessions.
> This is not useful for ssh community in general.

I am scanning the /var/log/auth.log file for this information. That's
where the information is logged.

Bob
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: sftp and wtmp support [ In reply to ]

heikki.orsila at iki

Dec 3, 2020, 1:26 AM

Post #5 of 7 (824 views)

On Wed, Dec 02, 2020 at 02:08:26PM -0700, Bob Proulx wrote:
> Heikki Orsila wrote:
> > My client uses wtmp information to determine past logins though ssh into
> > their production environment. It seems sftp does not write into wtmp, and
> > thus, it is not possible to list past sftp sessions. To make this happen
> > I can see several options:
> >
> > 1. We write a custom tool to analyze auth.log to determine past sessions.
> > This is not useful for ssh community in general.
>
> I am scanning the /var/log/auth.log file for this information. That's
> where the information is logged.

Do you have this tool available somewhere?

A configuration option to instruct sshd to write to wtmp no matter what
session is in question would be useful.

Is there an objection from the developers to have this kind of option?

--
Heikki Orsila
heikki.orsila@zakalwe.fi
http://www.iki.fi/shd
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: sftp and wtmp support [ In reply to ]

Dec 3, 2020, 12:55 PM

Post #6 of 7 (824 views)

Heikki Orsila wrote:
> Bob Proulx wrote:
> > I am scanning the /var/log/auth.log file for this information. That's
> > where the information is logged.
>
> Do you have this tool available somewhere?

My use is ad-hoc scanning with awk, grep, sed, perl. So not really a
general purpose tool. But the format is simple and not too difficult.

Here is example. This might not be completely correct but it has been
sufficient for my needs. YMMV.

Dec 2 18:58:55 havoc sshd[24031]: Accepted publickey for teaclub from 63.224.80.128 port 44854 ssh2: RSA SHA256:Nab5H8iLOWfU704AhqiYQkiX8T5ADv2a83uCw/vQLL0
Dec 2 18:58:55 havoc sshd[24031]: pam_unix(sshd:session): session opened for user teaclub by (uid=0)

The sshd is recording the process that is now parenting that process
tree. In this case it is 24031. Then that same process is logged
through PAM starting a session. Then later that session is closed.

Dec 2 20:18:26 havoc sshd[24031]: pam_unix(sshd:session): session closed for user teaclub

In my case I am tracking only public key logins. I have a perl script
which reads the log file line by line. It looks for lines that match
the /Accepted publickey for/ pattern. It extracts the sshd pid. It
then reads line looking for that sshd pid looking for the session
open. And then later for the session close. (Note that after the
session is closed the pid may be reused.) The session open and close
information logged there provides the information I needed.

Bob
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

Re: sftp and wtmp support [ In reply to ]

heikki.orsila at iki

Dec 5, 2020, 4:00 AM

Post #7 of 7 (824 views)

On Thu, Dec 03, 2020 at 01:55:06PM -0700, Bob Proulx wrote:
> Heikki Orsila wrote:
> > Bob Proulx wrote:
> > > I am scanning the /var/log/auth.log file for this information. That's
> > > where the information is logged.
> >
> > Do you have this tool available somewhere?
>
> My use is ad-hoc scanning with awk, grep, sed, perl. So not really a
> general purpose tool. But the format is simple and not too difficult.
>
> Here is example. This might not be completely correct but it has been
> sufficient for my needs. YMMV.
>
> Dec 2 18:58:55 havoc sshd[24031]: Accepted publickey for teaclub from 63.224.80.128 port 44854 ssh2: RSA SHA256:Nab5H8iLOWfU704AhqiYQkiX8T5ADv2a83uCw/vQLL0
> Dec 2 18:58:55 havoc sshd[24031]: pam_unix(sshd:session): session opened for user teaclub by (uid=0)
>
> The sshd is recording the process that is now parenting that process
> tree. In this case it is 24031. Then that same process is logged
> through PAM starting a session. Then later that session is closed.
>
> Dec 2 20:18:26 havoc sshd[24031]: pam_unix(sshd:session): session closed for user teaclub
>
> In my case I am tracking only public key logins. I have a perl script
> which reads the log file line by line. It looks for lines that match
> the /Accepted publickey for/ pattern. It extracts the sshd pid. It
> then reads line looking for that sshd pid looking for the session
> open. And then later for the session close. (Note that after the
> session is closed the pid may be reused.) The session open and close
> information logged there provides the information I needed.

Thanks, Bob! It seems you have implemented the option 1 in the
original question.

- Heikki
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev