Mailing List Archive

Log ssh sessions using open source tools
Hi,

Are there any open source tools to keep track of ssh sessions? For example,
if a specific user is ssh logging to remote server and what commands or
scripts are being run. Basically, i need to log all users sessions.

Thanks in Advance and i look forward to hearing from you.

Best Regards,

Kaushal
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Log ssh sessions using open source tools [ In reply to ]
Hi Kaushal,

I'm the author of ssh-mitm (https://github.com/jtesta/ssh-mitm),
which is a penetration testing tool for man-in-the-middling SSH connections.

If you can ARP spoof a client (or otherwise route connections for
them), and if they ignore the changed host-key warning, then you can
record the full connection stream. You will log their passwords as well
(it doesn't work for key authentication, though). Full SFTP traffic is
captured too.

It might be overkill for what you're trying to do, but I thought I'd
mention it.

- Joe

--
Joseph S. Testa II
Founder & Principle Security Consultant
Positron Security


On 11/3/18 1:08 PM, Kaushal Shriyan wrote:
> Hi,
>
> Are there any open source tools to keep track of ssh sessions? For example,
> if a specific user is ssh logging to remote server and what commands or
> scripts are being run. Basically, i need to log all users sessions.
>
> Thanks in Advance and i look forward to hearing from you.
>
> Best Regards,
>
> Kaushal
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Log ssh sessions using open source tools [ In reply to ]
Well, one way might be to have strace active on the ssh process. You can only log program executions like this:

strace -f -p <pid of process> -v -e execve -o <logfile>

Though you'll need'l to know the parent/child relationships and user IDs, as well as file descriptors, so there should be fork,clone,open,close,openat,dup,dup2,setuid,seteuid,setreuid and perhaps a few others in the set of traced syscalls.

I guess that a "restricted shell" might be another way; or, if you have cooperation of the users involved, a simple "force-command" involving "script" (1) might work as well.

If you are not sure about users' cooperation, you'll need some protected process - like the strace running as uid 0.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Log ssh sessions using open source tools [ In reply to ]
Il giorno sab 3 nov 2018 alle ore 20:12 Joseph S. Testa II
<jtesta@positronsecurity.com> ha scritto:
>
> Hi Kaushal,
>
> I'm the author of ssh-mitm (https://github.com/jtesta/ssh-mitm),
> which is a penetration testing tool for man-in-the-middling SSH connections.
>
> If you can ARP spoof a client (or otherwise route connections for
> them), and if they ignore the changed host-key warning, then you can
> record the full connection stream. You will log their passwords as well
> (it doesn't work for key authentication, though). Full SFTP traffic is
> captured too.
>
> It might be overkill for what you're trying to do, but I thought I'd
> mention it.
>
> - Joe
>
> --
> Joseph S. Testa II
> Founder & Principle Security Consultant
> Positron Security
>
>
> On 11/3/18 1:08 PM, Kaushal Shriyan wrote:
> > Hi,
> >
> > Are there any open source tools to keep track of ssh sessions? For example,
> > if a specific user is ssh logging to remote server and what commands or
> > scripts are being run. Basically, i need to log all users sessions.
> >
> > Thanks in Advance and i look forward to hearing from you.
> >
> > Best Regards,
> >
> > Kaushal

Normally the ssh daemon can log a lot of details of an ssh session,
like authentication type, source IP, user name, spawned shell and the
likes.

What you are talking about is shell-related and won't be logged by a
normal ssh daemon.
You'd spoof on they pseudo-tty in order to record a full user tty
session and is thus off-topic here.

The MITM approach is something that surely works, at the price of
making ssh security and privacy more similar to those of telnet.
And the users will know you are eavesdropping on their sessions.

--
Vincenzo Romano - NotOrAnd.IT
Information Technologies
--
NON QVIETIS MARIBVS NAVTA PERITVS
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Log ssh sessions using open source tools [ In reply to ]
On Sat, 3 Nov 2018, Kaushal Shriyan wrote:

> Hi,
>
> Are there any open source tools to keep track of ssh sessions? For example,
> if a specific user is ssh logging to remote server and what commands or
> scripts are being run. Basically, i need to log all users sessions.

You should look at your operating system's audit functionality. E.g. Linux
has an audit system that can be configured to log all command executions
associated with a PTY (AFAIK).

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Log ssh sessions using open source tools [ In reply to ]
On 11/03/2018 06:08 PM, Kaushal Shriyan wrote:
> Are there any open source tools to keep track of ssh sessions? For example,
> if a specific user is ssh logging to remote server and what commands or
> scripts are being run. Basically, i need to log all users sessions.

Which part of the remote connection is the one you need audited? The
system(s) your users are ssh'ing *out* of, resp. the users themselves
("we need to review what our staff did to whatever customer system they
did support on"), the ones they're ssh'ing *into*, or just some subset
("privileged commands") of the activity on the latter?

For the last case, the use of individual accounts, "sudo", suitable
configurations(*), and the "sudoreplay" tool might give you out of the
box what OpenSSH alone would need to be heavily modified to do.

(*) Namely, making sshd log enough information to identify the incoming
users and making sudo use an I/O logging plugin.

https://www.sudo.ws/man/1.8.25/sudoers.man.html#I/O_LOG_FILES

Regards,
--
Jochen Bern
Systemingenieur

www.binect.de
www.facebook.de/binect
Re: Log ssh sessions using open source tools [ In reply to ]
Hi,

Did you check out log-user-session [1]? It can be used to record the
output of ssh shell sessions in a tamper-prof way. And it is open source.

Cheers

Konrad

[1] https://github.com/open-ch/log-user-session


Am 03.11.18 um 18:08 schrieb Kaushal Shriyan:
> Hi,
>
> Are there any open source tools to keep track of ssh sessions? For example,
> if a specific user is ssh logging to remote server and what commands or
> scripts are being run. Basically, i need to log all users sessions.
>
> Thanks in Advance and i look forward to hearing from you.
>
> Best Regards,
>
> Kaushal
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev?mc_phishing_protection_id=45427-bfetfluuab2o0p3j90ng
>

--
konrad bucheli
principal systems engineer

open systems ag
raeffelstrasse 29
ch-8045 zurich

t: +41 58 100 10 10
f: +41 58 100 10 11
kb@open.ch

http://www.open.ch
Re: Log ssh sessions using open source tools [ In reply to ]
Hello,

Konrad Bucheli writes:
> Hi,
>
> Did you check out log-user-session [1]? It can be used to record
> the output of ssh shell sessions in a tamper-prof way. And
> it is open source.
> ...
> [1] https://github.com/open-ch/log-user-session

Well, using a SUID-binary in that way partially eliminates the
benefits of tamper-proof logging by increasing the attack surface,
e.g. by allowing each user to create arbitrary files using directory
traversal and symlink attacks, e.g. by calling

SSH_CLIENT="169.254.0.1/../../../../tmp/ 1234 22" /usr/local/bin/log-user-session 'echo "* * * * * root /usr/bin/touch /dead.txt"'

to start the directory traversal and lead to the problematic open
missing O_NOFOLLOW

5885 openat(AT_FDCWD, "/var/log/user-session/localhost-build-20181122-140817-169.254.0.1/../../../../tmp/-5883.log", O_WRONLY|O_CREAT|O_APPEND, 0400) = 3

Without symlink protection, linking the "-[guessable pid].log" file
to "/etc/cron.d/dead" will give you root easily. Even with protection,
something should be possible ...



I am currently also writing a tool for a similar reason. To be
really tamper-proof, my solution is preloaded into SSH to intercept
the encryption master key for each session, sends it to a daemon,
that will use a public key to encrypt it and offload it to another
machine. Together with the full-packet-captures of all SSH connections
done by the network infrastructure, I would hope for a tamper-proof
but still secure solution BUT (ha, ha, ha) - it is not ready yet.

Best regards,
hd

> Am 03.11.18 um 18:08 schrieb Kaushal Shriyan:
>> Hi,
>>
>> Are there any open source tools to keep track of ssh sessions?
>> For example, if a specific user is ssh logging to remote server
>> and what commands or scripts are being run. Basically, i need
>> to log all users sessions.
>>
>> Thanks in Advance and i look forward to hearing from you.
>>
>> Best Regards,
>>
>> Kaushal _______________________________________________
>> openssh-unix-dev mailing list openssh-unix-dev@mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev?mc_phishing_protection_id=45427-bfetfluuab2o0p3j90ng
>>
>
> -- konrad bucheli principal systems engineer
>
> open systems ag raeffelstrasse 29 ch-8045 zurich
>
> t: +41 58 100 10 10 f: +41 58 100 10 11 kb@open.ch
>
> http://www.open.ch


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Log ssh sessions using open source tools [ In reply to ]
Hi

Thank you for the audit.
This issue has been rectified in the release v0.8.

Regards

Konrad

On 22.11.18 15:38, halfdog wrote:
> Hello,
>
> Konrad Bucheli writes:
>> Hi,
>>
>> Did you check out log-user-session [1]? It can be used to record
>> the output of ssh shell sessions in a tamper-prof way. And
>> it is open source.
>> ...
>> [1] https://github.com/open-ch/log-user-session
>
> Well, using a SUID-binary in that way partially eliminates the
> benefits of tamper-proof logging by increasing the attack surface,
> e.g. by allowing each user to create arbitrary files using directory
> traversal and symlink attacks, e.g. by calling
>
> SSH_CLIENT="169.254.0.1/../../../../tmp/ 1234 22" /usr/local/bin/log-user-session 'echo "* * * * * root /usr/bin/touch /dead.txt"'
>
> to start the directory traversal and lead to the problematic open
> missing O_NOFOLLOW
>
> 5885 openat(AT_FDCWD, "/var/log/user-session/localhost-build-20181122-140817-169.254.0.1/../../../../tmp/-5883.log", O_WRONLY|O_CREAT|O_APPEND, 0400) = 3
>
> Without symlink protection, linking the "-[guessable pid].log" file
> to "/etc/cron.d/dead" will give you root easily. Even with protection,
> something should be possible ...
>
>
>
> I am currently also writing a tool for a similar reason. To be
> really tamper-proof, my solution is preloaded into SSH to intercept
> the encryption master key for each session, sends it to a daemon,
> that will use a public key to encrypt it and offload it to another
> machine. Together with the full-packet-captures of all SSH connections
> done by the network infrastructure, I would hope for a tamper-proof
> but still secure solution BUT (ha, ha, ha) - it is not ready yet.
>
> Best regards,
> hd
>
>> Am 03.11.18 um 18:08 schrieb Kaushal Shriyan:
>>> Hi,
>>>
>>> Are there any open source tools to keep track of ssh sessions?
>>> For example, if a specific user is ssh logging to remote server
>>> and what commands or scripts are being run. Basically, i need
>>> to log all users sessions.
>>>
>>> Thanks in Advance and i look forward to hearing from you.
>>>
>>> Best Regards,
>>>
>>> Kaushal _______________________________________________
>>> openssh-unix-dev mailing list openssh-unix-dev@mindrot.org
>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev?mc_phishing_protection_id=45427-bfetfluuab2o0p3j90ng
>>>
>>
>> -- konrad bucheli principal systems engineer
>>
>> open systems ag raeffelstrasse 29 ch-8045 zurich
>>
>> t: +41 58 100 10 10 f: +41 58 100 10 11 kb@open.ch
>>
>> http://www.open.ch
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev?mc_phishing_protection_id=45427-bfrc16muab2oqau9t3cg
>

--
konrad bucheli
principal systems engineer

open systems ag
raeffelstrasse 29
ch-8045 zurich

t: +41 58 100 10 10
f: +41 58 100 10 11
kb@open.ch

http://www.open.ch