Home / server / Questions / 12419
Accepted
Richard
Asked: 2009-05-27 15:18:09 +0800 CST

Monitor an incoming SSH session in real time

  • 772

Is there any linux software to monitor an incoming ssh session. At a previous job I was told that if you ever needed support from Red Hat for example you could have them SSH into your machine and you could watch what they were doing.

I'm in a similar situation where I want to ssh into my friends machine to help him out but I want him to be able to watch what I'm doing for educational purposes and to ensure I don't do anything malicious.

Any suggestions?

Thanks

linux security monitoring ssh

7 Answers

  1. Best Answer

    GNU Screen has this ability, you could allow a specific shell user to only operate through screen.

    https://www.linux.com/training-tutorials/using-screen-remote-interaction/

    • 15

  2. I think screen is what you're after, but if you don't want to sit there watching, and want to "video" a user's session, you can look at sudo shell.

    If you set the user up with this as their shell, you can have a complete recording of everything that occurred, and you can the "replay" it back, and watch it when/if you need to.

    The only possible downside to this is that the logs can grow very large, for example if they run a command like find /, you will have all that recorded too - so you'll probably have to pick which accounts to enable it for rather than doing it globally.

    As for allowing vendors login access, this is probably perfect, because you have a complete audit trail of everything they did, everything (even backspacing) is recorded and stored for replay.

    log_output is your recorder option for sudoers, and sudoreplay(8) is your player.

    As per the sudoers man page:

    log_output: If set, sudo will run the command in a pseudo tty and log all output that is sent to the screen, similar to the script(1) command. If the standard output or standard error is not connected to the user's tty, due to I/O redirection or because the command is part of a pipeline, that output is also captured and stored in separate log files.

    In sudoers file, you would put something like this:

    User_Alias SHELL_ACCOUNTS = root,jack
Defaults: SHELL_ACCOUNTS log_output

    Or for group-based logging

    Defaults:%shellusers log_output

    See http://www.gratisoft.us/sudo/sudoers.man.html for details.

    • 4
    • 2

  4. I use whowatch on my server.

    apt-get install whowatch
    • 2

  5. You can use script command. Build a line in .login or .profile of the user whose ssh session you want to monitor. When he logs in a script / log is generated of his I/O which gives you commands run and the output of those commands. In real time you can just tail the script and watch what the user does in real time.

    Unable to paste a link for your referrance but you can just google on the command " script " and you will get the referrances.

    • 2

  6. You can use kibitz. Quoting from the man page:

    kibitz allows two (or more) people to interact with one shell (or any arbitrary program).

    On Fedora, it's included in the expect package.

    • 1

  7. screen or tmux .

    tmux sharing is a little easier.

    • 0