Re: Logging enhancement
This is a discussion on Re: Logging enhancement within the OpenSSH Development forums, part of the Networking and Network Related category; Circa 2007-04-24 19:44 dixit Anderson Russell D (Andy): : I would like to suggest a logging enhancement that ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-25-2007
|
|||
|
|||
Re: Logging enhancement
Circa 2007-04-24 19:44 dixit Anderson Russell D (Andy):
: I would like to suggest a logging enhancement that would contribute : greatly to access auditing. : : Currently nothing is logged when a user connects to another server as a : different user. : : The auditing trail is broken for tracing access. : : userA> ssh userB@hostB : : A simple syslog addition (for example) to ssh.c closes that gap. : [...] And what if the user logs into a remote system using an ssh program they compiled themselves which doesn't have that logging bit in it? userA@hostA$ /path/to/my/own/ssh userB@hostB At the very least, you'll need to track every command run by every user, including its environment (PATH, other environment variables that can control program behavior, including LD_PRELOAD on appropriate systems). Furthermore, what if the user sets up a tunneled connection to hostB via hostA and logs into hostB over that connection? user5@hostQ$ ssh -f -N -L 23456:hostB:22 userA@hostA user5@hostQ$ ssh -p 23456 userB@hostB Now command logging doesn't even help, unless you can log commands run on hostQ as well. You're probably better off forcing users to use public key authentication only, controlling the contents of ~/.ssh/authorized_keys on the hosts on your network, setting sshd's LogLevel to VERBOSE, and using the fingerprints logged by sshd to tell who logged into where from where. Maybe look into whether using Kerberos and GSSAPI authentication can help you. You'll need policies to deal with things like users allowing use of their accounts or credentials by someone else as well. -- jim knoble | jmknoble@pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG key ID: 6F39C2CC >>>>>> http://www.pobox.com/~jmknoble/keys/ ) (GnuPG fingerprint: 5024:D578:7CF4:5660:7269::F6F3:B919:9307:6F39:C2CC ) +----------------------------------------------------------------------+ |[L]iberty, as we all know, cannot flourish in a country that is perma-| | nently on a war footing, or even a near-war footing. --Aldous Huxley| +----------------------------------------------------------------------+ _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org http://lists.mindrot.org/mailman/lis...enssh-unix-dev 
|
Linear Mode
