SSH Tunnel logging

From: Gareth Bromley (gbromley_at_intstar.com)
Date: 04/16/04

  • Next message: Darren Tucker: "Re: OpenSSH and pam_krb5" 
    Date: Fri, 16 Apr 2004 09:30:54 +0100 (BST)
To: secureshell@securityfocus.com

    As subject:

    I was going through some audits of systems that operation staff use for
    SSH tunneling into a corp a few days ago, and was sure that you could get
    out of the logs:
    - Who logged on (yes easy)
    - Where from (yes easy)
    - What tunnels they created in the SSH tunnel

    Its the last one that threw me, as I was under the impressions that
    FascistLogging yes or LogLevel DEBUG did this however, testing at home
    revealed nothing obvious (I'm sure I'm in 'dime bar' mode and have missed
    something). Anyone else doing this (especially with priv seperation and
    correlating activity)?

    Did this feature get removed in OpenSSH? If so how are other people
    auditing tunnel setup by staff?

    Logs I'm getting are (using LogLevel DEBUG):
    Apr 14 19:32:20 sshgw0 sshd[28070]: Connection from 10.152.0.198 port 1884
    Apr 14 19:32:20 sshgw0 sshd[28065]: debug1: Forked child 28070.
    Apr 14 19:32:20 sshgw0 sshd[28070]: debug1: Client protocol version 2.0;
    client software version PuTTY-Release-0.53b
    Apr 14 19:32:20 sshgw0 sshd[28070]: debug1: no match: PuTTY-Release-0.53b
    Apr 14 19:32:20 sshgw0 sshd[28070]: debug1: Enabling compatibility mode
    for protocol 2.0
    Apr 14 19:32:20 sshgw0 sshd[28070]: debug1: Local version string
    SSH-2.0-OpenSSH_3.5p1
    Apr 14 19:32:22 sshgw0 sshd[28070]: debug1: Starting up PAM with username
    "opuserA"
    Apr 14 19:32:22 sshgw0 sshd[28070]: debug1: PAM setting rhost to
    "10.152.0.198"
    Apr 14 19:32:22 sshgw0 sshd[28070]: debug1: temporarily_use_uid: 500/500
    (e=0/0)
    Apr 14 19:32:22 sshgw0 sshd[28070]: debug1: trying public key file
    /home/opuserA/.ssh/authorized_keys
    Apr 14 19:32:22 sshgw0 sshd[28070]: debug1: matching key found: file
    /home/opuserA/.ssh/authorized_keys, line 1
    Apr 14 19:32:22 sshgw0 sshd[28070]: Found matching DSA key:
    35:06:7d:cb:18:74:e0:48:a1:78:a2:31:65:47:35:2d
    Apr 14 19:32:22 sshgw0 sshd[28070]: debug1: restore_uid: 0/0
    Apr 14 19:32:23 sshgw0 sshd[28070]: debug1: temporarily_use_uid: 500/500
    (e=0/0)
    Apr 14 19:32:23 sshgw0 sshd[28070]: debug1: trying public key file
    /home/opuserA/.ssh/authorized_keys
    Apr 14 19:32:23 sshgw0 sshd[28070]: debug1: matching key found: file
    /home/opuserA/.ssh/authorized_keys, line 1
    Apr 14 19:32:23 sshgw0 sshd[28070]: Found matching DSA key:
    35:06:7d:cb:18:74:e0:48:a1:78:a2:31:65:47:35:2d
    Apr 14 19:32:23 sshgw0 sshd[28070]: debug1: restore_uid: 0/0
    Apr 14 19:32:23 sshgw0 sshd[28070]: debug1: ssh_dss_verify: signature
    correct
    Apr 14 19:32:23 sshgw0 sshd[28070]: Accepted publickey for opuserA from
    10.152.0.198 port 1884 ssh2
    Apr 14 19:32:23 sshgw0 sshd[28070]: debug1: monitor_child_preauth: opuserA
    has been authenticated by privileged process
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: PAM establishing creds
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: permanently_set_uid: 500/500
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: newkeys: mode 0
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: newkeys: mode 1
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: Entering interactive session
    for SSH2.
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: fd 5 setting O_NONBLOCK
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: fd 6 setting O_NONBLOCK
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: server_init_dispatch_20
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: server_input_channel_open:
    ctype session rchan 256 win 16384 max 16384
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: input_session_request
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: channel 0: new
    [server-session]
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: session_new: init
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: session_new: session 0
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: session_open: channel 0
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: session_open: session 0: link
    with channel 0
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: server_input_channel_open:
    confirm session
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: server_input_channel_req:
    channel 0 request pty-req reply 1
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: session_by_channel: session 0
    channel 0
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: session_input_channel_req:
    session 0 req pty-req
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: Allocating pty.
    Apr 14 19:32:23 sshgw0 sshd[28070]: debug1: session_new: init
    Apr 14 19:32:23 sshgw0 sshd[28070]: debug1: session_new: session 0
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: session_pty_req: session 0
    alloc /dev/pts/2
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: server_input_channel_req:
    channel 0 request shell reply 1
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: session_by_channel: session 0
    channel 0
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: session_input_channel_req:
    session 0 req shell
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: PAM setting tty to
    "/dev/pts/2"
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: PAM establishing creds
    Apr 14 19:32:23 sshgw0 sshd[28073]: debug1: Setting controlling tty using
    TIOCSCTTY.
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: fd 4 setting TCP_NODELAY
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: channel 0: rfd 8 isatty
    Apr 14 19:32:23 sshgw0 sshd[28072]: debug1: fd 8 setting O_NONBLOCK

  • Next message: Darren Tucker: "Re: OpenSSH and pam_krb5"