Koen De Vleeschauwer

• Home
• Projects
• About Me
• Contact

Home»Projects »SSH session logging patch

PROJECTS

Focus Drive for Meiji Techno EMZ stereo microscope

Introduction

Product description

Resolution

Price

Tutorial

Downloads

 

November 10, 2010

 

MPEG2 Video Decoder

Introduction

Hardware

Simulation

Synthesis

Verification and Test

Conclusion

Download

Links

 

January 14, 2009

 

Xilinx Logic Analyzer Adapter

Description

Problem

Solution

Ground loops

Availability

Downloads

 

October 9, 2007

 

Native gcc C compiler

Xilinx ML403 Development Platform

NFS root and swap

Native gcc Compiler

Links

Downloads

 

November 12, 2005

 

DVB-S Extension board for VDR

Introduction

Design Goals

Design Choices

The DVB-S card interface

The TV interface

The SPDIF interface

The circuit

The board

Installing the card

Picture gallery

Downloads

Cost

 

February 21, 2005

 

Home-built Video Disk Recorder

CPU

Cooler

Memory

Motherboard

Video

Hard disk

DVD drive

Power Supply

Infrared receiver & wake-up board

DVB cards

Software

Case

 

September 1, 2005

 

SSH session logging patch

Introduction

Description

Links

Downloads

 

April 28, 2006

 

Linux for Cisco 2500 routers

Introduction

Documentation

Sources

Binary images

 

September 29, 2001

 

LINKS

VDR

Opencores

Wikipedia

Slashdot

 

 

SSH session logging patch

Introduction

This page describes a patch to the secure shell daemon which logs all terminal output. The log file with terminal output has the same format as the output of the script command. Active sessions can be monitored using tail -f. Past sessions can be played back using the provided replay command, at reduced or increased speed if desired.
The patch was originally developed as part of a contract, and later released to the public domain.

Description

Each byte sent to the user is logged, together with a timestamp. There are no exceptions to this.
Logfiles are located in /var/log/openssh. Each session creates two logfiles, one with session output, another with timestamps. The logfile filename contains

• a prefix, /var/log/openssh/openssh.
• the session date in UTC
• the username
• a random hash to avoid filename clashes
• a suffix, which indicates whether the file is session output (.typescript) or timing (.timing) information.

Sample file names:

/var/log/openssh/openssh.2006-03-14.14:20:23.koen.73e25ba5.timing

/var/log/openssh/openssh.2006-03-14.14:20:23.koen.73e25ba5.typescript

The files with timing information contain two fields per line. The first field is a timestamp, expressed in seconds since Jan. 1, 1970. Accuracy is 1/100 of a second. The second field is the number of characters sent to the user during that hundredth of a second.

The file with session output has the same format as the output of the script command.

Should one wish to monitor a session in real time, a tail -f of the .typescript file is sufficient.
Sessions can also be played back later using the provided replay command. The replay command takes one argument; which is either the .timing or the .typescript log file of a session. Example:

replay /var/log/openssh/openssh.2006-03-14.14\:20\:23.koen.73e25ba5.typescript 

The optional --speed argument allows changes in playback speed. Example:

replay --speed 2 /var/log/openssh/openssh.2006-03-14.14\:20\:23.koen.73e25ba5.typescript

plays the session back twice as fast. Alternatively, one may choose to slow down playback:

replay --speed 0.5 /var/log/openssh/openssh.2006-03-14.14\:20\:23.koen.73e25ba5.typescript

This plays the session back at half the recorded speed.
The replay command ends at logfile end; one can also terminate the playback using ctrl-C.
Note every byte output is logged; this also applies to file transfer (sftp) and graphical (X11) sessions. The logfiles will contain the raw bitstream of sftp and X11 sessions.
Only output is logged. If the user types in a password and the password is not echoed back, the password will not be logged.

Links

chroot

• A patch to implement chroot for openssh (Linux): http://chrootssh.sourceforge.net
  
• Backported to OpenBSD ssh-4.2: ssh-4.2-chroot.diff
  

sftp logging

• A patch to implement sftp command logging for openssh (Linux): http://sftplogging.sourceforge.net
  
• Backported to OpenBSD ssh-4.2: ssh-4.2-sftplogging.diff

Downloads

openssh-4.3p2-logging.diff patch for the portable openssh-4.3p2 (Linux, FreeBSD, etc.), with bugfix from Thomas Reifferscheid.

Last update page: April 28, 2006

Home | Projects | About Me | Contact | Copyright
© Koen De Vleeschauwer.