Home»Projects »SSH session logging patch
November 10, 2010
January 14, 2009
October 9, 2007
November 12, 2005
February 21, 2005
September 1, 2005
April 28, 2006
September 29, 2001
This page describes a patch to the secure shell daemon which
logs all terminal output. The log file with terminal output has the
same format as the output of the script
command. Active sessions can be monitored using tail -f. Past sessions can be
played back using the provided replay
command, at reduced or increased speed if desired.
The patch was originally developed as part of a contract, and later released to the public domain.
/var/log/openssh/openssh.2006-03-14.14:20:23.koen.73e25ba5.typescriptThe files with timing information contain two fields per line. The first field is a timestamp, expressed in seconds since Jan. 1, 1970. Accuracy is 1/100 of a second. The second field is the number of characters sent to the user during that hundredth of a second.
replay /var/log/openssh/openssh.2006-03-14.14\:20\:23.koen.73e25ba5.typescriptThe optional --speed argument allows changes in playback speed. Example:
replay --speed 2 /var/log/openssh/openssh.2006-03-14.14\:20\:23.koen.73e25ba5.typescriptplays the session back twice as fast. Alternatively, one may choose to slow down playback:
replay --speed 0.5 /var/log/openssh/openssh.2006-03-14.14\:20\:23.koen.73e25ba5.typescript
This plays the session back at half the recorded speed.
The replay command ends at logfile end; one can also terminate the playback using ctrl-C.
Note every byte output is logged; this also applies to file transfer (sftp) and graphical (X11) sessions. The logfiles will contain the raw bitstream of sftp and X11 sessions.
Only output is logged. If the user types in a password and the password is not echoed back, the password will not be logged.
openssh-4.3p2-logging.diff patch for the portable openssh-4.3p2 (Linux, FreeBSD, etc.), with bugfix from Thomas Reifferscheid.
Last update page: April 28, 2006