Home»Projects »SSH session logging patch

SSH session logging patch


This page describes a patch to the secure shell daemon which logs all terminal output. The log file with terminal output has the same format as the output of the script command. Active sessions can be monitored using tail -f. Past sessions can be played back using the provided replay command, at reduced or increased speed if desired.
The patch was originally developed as part of a contract, and later released to the public domain.


Each byte sent to the user is logged, together with a timestamp. There are no exceptions to this.
Logfiles are located in /var/log/openssh. Each session creates two logfiles, one with session output, another with timestamps. The logfile filename contains
Sample file names:
The files with timing information contain two fields per line. The first field is a timestamp, expressed in seconds since Jan. 1, 1970. Accuracy is 1/100 of a second. The second field is the number of characters sent to the user during that hundredth of a second.

The file with session output has the same format as the output of the script command.

Should one wish to monitor a session in real time, a tail -f of the .typescript file is sufficient.
Sessions can also be played back later using the provided replay command. The replay command takes one argument; which is either the .timing or the .typescript log file of a session. Example:
replay /var/log/openssh/openssh.2006-03-14.14\:20\:23.koen.73e25ba5.typescript 
The optional --speed argument allows changes in playback speed. Example:
replay --speed 2 /var/log/openssh/openssh.2006-03-14.14\:20\:23.koen.73e25ba5.typescript
plays the session back twice as fast. Alternatively, one may choose to slow down playback:
replay --speed 0.5 /var/log/openssh/openssh.2006-03-14.14\:20\:23.koen.73e25ba5.typescript

This plays the session back at half the recorded speed.
The replay command ends at logfile end; one can also terminate the playback using ctrl-C.
Note every byte output is logged; this also applies to file transfer (sftp) and graphical (X11) sessions. The logfiles will contain the raw bitstream of sftp and X11 sessions.
Only output is logged. If the user types in a password and the password is not echoed back, the password will not be logged.


sftp logging


openssh-4.3p2-logging.diff patch for the portable openssh-4.3p2 (Linux, FreeBSD, etc.), with bugfix from Thomas Reifferscheid.

Last update page: April 28, 2006