Re: sftp and wtmp support

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Heikki Orsila wrote:
> Bob Proulx wrote:
> > I am scanning the /var/log/auth.log file for this information.  That's
> > where the information is logged.
> 
> Do you have this tool available somewhere?

My use is ad-hoc scanning with awk, grep, sed, perl.  So not really a
general purpose tool.  But the format is simple and not too difficult.

Here is example.  This might not be completely correct but it has been
sufficient for my needs.  YMMV.

    Dec  2 18:58:55 havoc sshd[24031]: Accepted publickey for teaclub from 63.224.80.128 port 44854 ssh2: RSA SHA256:Nab5H8iLOWfU704AhqiYQkiX8T5ADv2a83uCw/vQLL0
    Dec  2 18:58:55 havoc sshd[24031]: pam_unix(sshd:session): session opened for user teaclub by (uid=0)

The sshd is recording the process that is now parenting that process
tree.  In this case it is 24031.  Then that same process is logged
through PAM starting a session.  Then later that session is closed.

    Dec  2 20:18:26 havoc sshd[24031]: pam_unix(sshd:session): session closed for user teaclub

In my case I am tracking only public key logins.  I have a perl script
which reads the log file line by line.  It looks for lines that match
the /Accepted publickey for/ pattern.  It extracts the sshd pid.  It
then reads line looking for that sshd pid looking for the session
open.  And then later for the session close.  (Note that after the
session is closed the pid may be reused.)  The session open and close
information logged there provides the information I needed.

Bob
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux