Re: sftp and wtmp support

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Thu, Dec 03, 2020 at 01:55:06PM -0700, Bob Proulx wrote:
> Heikki Orsila wrote:
> > Bob Proulx wrote:
> > > I am scanning the /var/log/auth.log file for this information.  That's
> > > where the information is logged.
> > 
> > Do you have this tool available somewhere?
> 
> My use is ad-hoc scanning with awk, grep, sed, perl.  So not really a
> general purpose tool.  But the format is simple and not too difficult.
> 
> Here is example.  This might not be completely correct but it has been
> sufficient for my needs.  YMMV.
> 
>     Dec  2 18:58:55 havoc sshd[24031]: Accepted publickey for teaclub from 63.224.80.128 port 44854 ssh2: RSA SHA256:Nab5H8iLOWfU704AhqiYQkiX8T5ADv2a83uCw/vQLL0
>     Dec  2 18:58:55 havoc sshd[24031]: pam_unix(sshd:session): session opened for user teaclub by (uid=0)
> 
> The sshd is recording the process that is now parenting that process
> tree.  In this case it is 24031.  Then that same process is logged
> through PAM starting a session.  Then later that session is closed.
> 
>     Dec  2 20:18:26 havoc sshd[24031]: pam_unix(sshd:session): session closed for user teaclub
> 
> In my case I am tracking only public key logins.  I have a perl script
> which reads the log file line by line.  It looks for lines that match
> the /Accepted publickey for/ pattern.  It extracts the sshd pid.  It
> then reads line looking for that sshd pid looking for the session
> open.  And then later for the session close.  (Note that after the
> session is closed the pid may be reused.)  The session open and close
> information logged there provides the information I needed.

Thanks, Bob! It seems you have implemented the option 1 in the
original question.

- Heikki
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux