ssh log session

README.markdown

log an ssh session from ~/.ssh/authorized_keys.

From https://www.jms1.net/ssh-record.shtml

Setting it up can be a bit tricky if you aren't used to dealing with SSH keys and forced commands. Here's an example showing how to set it up on a server. First download the script- I keep it in /usr/local/sbin so it can be used system-wide.

# cd /usr/local/sbin
# wget http://www.jms1.net/log-session
...

Find out where the sftp-server binary is located.

# grep sftp /etc/ssh/sshd_config Your sshd_config file may be in a different directory.
#Subsystem     sftp    /usr/libexec/openssh/sftp-server
Subsystem      sftp    internal-sftp

Put that value into the script.

nano log-session

Use whatever text editor you like. Find this line (near the top) and set the variable to point to your sftp-server binary.

SFTP_SERVER=/usr/libexec/openssh/sftp-server

# chmod 755 log-session

Add the forced command to each user's key

For each user whose SSH sessions you wish to record, you need to edit the user's ".ssh/authorized_keys" file. Find the line which contains their public key, and add a forced command to the beginning of the line which will make sshd run that script instead of whatever command they may have wanted to run. Be careful, some text editors may try to wrap the lines for you (the keys are very long.) DO NOT allow the editor to do this (or at least make sure you fix the damage before saving the file.)

# cd ~user/.ssh
# nano authorized_keys

Again, use whatever text editor you like. Find the line for their key, which will probably look like... ssh-dss AAAAB3NzaC1kc3MAAAEBAMKr1HxJzOWRQCm16Sf... Add the forced command to the beginning of this line. The result should look like this...

command="/usr/local/sbin/log-session" ssh-dss AAAAB3NzaC1kc3MAAAEBAMKr1HxJzOWRQCm16Sf...

After this is done, any time somebody connects to the server and uses that key to authenticate as that user, sshd will run the log-session script instead of whatever command they were trying to run. Of course, the script will run their original command- but it will log the session (unless they're doing an SFTP session, which I guess you could log, but since it's a binary protocol there's probably not much use in doing so. If you want to do this, directions can be found within the script itself.)

log-session

#!/bin/sh
#
# log-session
# John Simpson <jms1@jms1.net> 2008-08-06
#
###############################################################################
#
# Copyright (C) 2008 John Simpson.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License, version 3, as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
###############################################################################
#
# configuration

# copy this value from the "Subsystem sftp" line in your sshd_config file
SFTP_SERVER=/usr/libexec/openssh/sftp-server

###############################################################################
###############################################################################
###############################################################################

NOW=`date +%Y-%m-%d.%H%M%S`
IP=`echo $SSH_CLIENT | sed 's/ .*//'`
COMMAND="$@"
LOGFILE=/var/log/dokku/deploy.log.$NOW.${NAME:-'unknown'}.$IP

# if you want to log the initial contents of the environment received from
# sshd, un-comment these lines.
#
# env | sort >> $LOGFILE
# echo "========================================" >> $LOGFILE

# the "internal-sftp" service is new as of openssh 5.0. it works like
# the sftp server logic is built into sshd, and as such it's capable of
# chroot'ing users into their home directories.
# there's no way to "redirect" execution back into it, so the best we
# can do is exec the old sftp-server instead, which will give the user a
# working sftp session, but won't chroot them into their home directory.

if [ "${SSH_ORIGINAL_COMMAND:-}" = "internal-sftp" ]
then
	echo "substituting $SFTP_SERVER for internal SFTP service" >> $LOGFILE
	echo "========================================" >> $LOGFILE
	exec $SFTP_SERVER

# if they're requesting the sftp server, this is an sftp command.
# logging the traffic wouldn't make much sense, it's a binary protocol...
# although if you really want to log the raw data, comment out this block
# and let execution fall through to the next block.

elif [ "${SSH_ORIGINAL_COMMAND:-}" = "$SFTP_SERVER" ]
then
	echo starting SFTP service >> $LOGFILE
	echo ======================================== >> $LOGFILE
	exec $SFTP_SERVER

# if the user asked for a specific command, run that command
# but log the traffic going into and out of it.

elif [ -n "${SSH_ORIGINAL_COMMAND:-}" ]
then
	echo executing $COMMAND $SSH_ORIGINAL_COMMAND >> $LOGFILE
	echo ======================================== >> $LOGFILE
	exec script -a -f -q -c "$COMMAND $SSH_ORIGINAL_COMMAND" $LOGFILE

# no command was requested, user wants an interactive shell.
# of course, log the traffic going in and out of it.

else
	echo starting interactive shell session $COMMAND >> $LOGFILE
	echo ======================================== >> $LOGFILE
	exec script -a -f -q "$COMMAND" $LOGFILE
fi

# if we get to this point, an "exec" failed somewhere.

echo exec failed, rv=$?
exit 1