This time a nice administrator tool called TTYSNOOP, it permits to watch what other persons are doing in other terminals. Usefull for security people.
Steps:
1) Download openssh from http://openbsd.md5.com.ar/pub/OpenBSD/OpenSSH/portable/
wget http://openbsd.md5.com.ar/pub/OpenBSD/OpenSSH/portable/openssh-4.6p1.tar.gz
2) Uncompress it
tar zxvf openssh-4.6p1.tar.gz
3) Compile it, you have to set the "login" program that ssh has to use !
cd openssh-4.6p1
export LOGIN_PROGRAM="/sbin/foo_login"
cd openssh-4.6p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --without-zlib-version-check --with-pam --with-tcp-wrappers
make
make install
4) Modify the sshd_config file, should be located in /etc/ssh/sshd_config and change these variables:
PasswordAuthentication yes
UseLogin yes
Compile ttysnoop
5) Download ttysnoop from http://freshmeat.net/redir/ttysnoop26/
wget http://freshmeat.net/redir/ttysnoop26/50871/url_tgz/ttysnoop-0.12d.k26.tar.gz
6) tar xzvf ttysnoop-0.12d.k26.tar.gz
7) cd ttysnoop-0.12d.k26
8) make
9) make install
10) Copy the new login from ttysnoop:
cp ttysnoops /sbin/foo_login
11) This directory is not created, you have to do it:
mkdir /var/spool/ttysnoop
12) copy snooptab.dist to /etc
cp snooptab.dist /etc/snooptab
13) Edit /etc/snooptab
Comment all lines except:
* socket login /bin/login
Now you can use it:
#w
wlamagna pts/1 192.168.2.20 16:51 0.00s 1:42 0.01s login -- wlamagna
In another terminal write this to snoop terminal 1.
#ttysnoop 1
Now you are ready to use ttysnoop :-) Please leave your comment with experiences.
10 comments:
Hi there
Nice how-to. Thx for this.
It works really great, also if the user start vim or other programs that manipulate the screen (or its size).
Is it possible to auto-start logging when a user logs in with ssh? How would you do this? Change the C-Code of ttysnoops?
I also want to restrict some (bash built-in) commands in a chroot environment like "w" or "ps". Do you think, modifying the ttysnoops code is the right way to do this?
Regards
Matt
Hi Matt. To auto start logging you can create a daemon that listens to some signal, for example SIGALRM. When ttysnoops loads, you can send the signal SIGALRM to the daemon, and the daemon executes the command "ttysnoop [terminal] > /tmp/bigbrother.out".
To disable "w" or "ps", you will have to play with the permissions of the files. I recommend you to create a special group for the jail and put these permissions to /usr/bin/w:
-r-xr-x--- (chmod 555 /usr/bin/w). Then chgroup the "w" binary to a group that you will give the users that should be able to run that command.
Good luck.
Walter
Hi Walter
I think it's a good idea to start with a second daemon and the signal. Thank you for this hint.
Disabling the commands mentioned above worked like expected. I hope I didn't brake up some crons by doing this ;)
Cheers
Matt
there is also option to move /bin/login to /bin/login.real and replace /bin/login with ttysnoops.
in this case no sshd recompilation is needed.
janis
Janis is incorrect. That's a great way to make your system crash and not allow anyone to login.
Well, actually, it is correct. You can do this without crashing your system. Being unable to do one thing does not mean it is not feasible. Google on my friend.
I just tried Janis' suggestion and it broke the ssh access. Recompiling sshd doesn't seem exactly risk free though.
Adrian.
I tried Janis' trick and had a big scare, but I got my box back with:
ssh root@server "cp -f /bin/login.real /bin/login"
Why recompile sshd when recompiling ttysnoop is so much simpler: http://nuerd.blogspot.tw/2012/07/how-to-install-ttysnoop-with-ssh.html
Thanks for sharing.
Post a Comment