Well, one way might be to have strace active on the ssh process. You can only log program executions like this: strace -f -p <pid of process> -v -e execve -o <logfile> Though you'll need'l to know the parent/child relationships and user IDs, as well as file descriptors, so there should be fork,clone,open,close,openat,dup,dup2,setuid,seteuid,setreuid and perhaps a few others in the set of traced syscalls. I guess that a "restricted shell" might be another way; or, if you have cooperation of the users involved, a simple "force-command" involving "script" (1) might work as well. If you are not sure about users' cooperation, you'll need some protected process - like the strace running as uid 0. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev