Re: Monitoring ssh logins/logouts

Jakob Curdes wrote:
> we are trying to monitor ssh logins on security-critical machines with a
> script that scans logfiles for the relevant entries.
> A problem ist that when the ssh connection is closed by a network
> interruption or by closing the window with the ssh client, we do not
> find a corresponding entry in the logs.

Which OpenSSH version, and is it a vendor-supplied package or self-compiled?

> "last" does not show this
> information either, at least on our systems which are RedHat Linux
> based. Is there any way to record a "User gone" or so ? At a certain
> point, the daemon closes the connection when the client has gone away;
> would it be possible to log this ?

I think sshd should update last on disconnects, if it doesn't it should be
investigated.

> I would be grateful for a hint.

The optional audit code in 4.0p1 and will catch these disconnect events
and syslog them if you enable it (configure --with-audit=debug).

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev