Questions[tty](server)

Currently, we use Snoopy to monitor all commands issued by users on some externally accessible servers. We're in the process of updating everything to RHEL8 to ensure supportability and compliance, and discovered that my beloved Snoopy is no longer maintained. So it won't pass the compliance audit and needs to be replaced.

I looked into using auditd to do it, by enabling "pam_tty_audit.so" in system-auth and password-auth. This did the trick, but the output is, well let's just say it's less then desirable. Not to mention basically unreadable.

I tried setting-up /etc/profile to log by adding this...

function log2syslog
{
   declare COMMAND
   COMMAND=$(fc -ln -0)
   logger -p local1.notice -t bash -i -- "${USER}:${COMMAND}"
}
trap log2syslog DEBUG

And adding this to /etc/rsyslog.conf

local1.* -/var/log/cmdline

It works GREAT! But the solution was declined because it can be overridden by users.

I even tried using rootsh as a shell for users and logging that. Logs well, but there's no time/date stamps on it. So not acceptable.

So back to the question at hand. I need a replacement for Snoopy, that logs EVERY command executed, in a readable format with time/stamps, that users cannot override.

Any thoughts?

I have some Juniper SSG firewalls which I need to manage, and I'd like to be able to send commands to them from some monitoring scripts. I configured SSH access using public keys, and I'm able to automatically login to the firewalls.

When I run SSH interactively, everything works fine:

$ssh <firewall IP>
FIREWALL-> <command>
<command output>
FIREWALL-> exit
Connection to <firewall IP> closed.
$

But when I try to run the command from the command line, it doesn't work:

$ssh <firewall IP> <command>
$

This, of course, works fine when sending a command to a remote Linux box:

$ssh <linux box IP> <command>
<command output>
$

Why is this happening? What is the difference between running SSH interactively and specifying the command to run on the SSH command line?

Update:

It also works fine with a Cisco router. Only these Juniper firewalls seem to behave this way.

From the debug output from SSH, it looks like the connection gets established correctly, but the Juniper box replies with an EOF when sending the command, while instead the Linux box replies with the actual command output:

Linux:

debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug1: Sending command: uptime
debug2: channel 0: request exec confirm 0
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 131072
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
 16:44:44 up 25 days,  1:06,  3 users,  load average: 0.08, 0.02, 0.01
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug2: channel 0: rcvd close
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.1 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 0

Juniper:

debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug1: Sending command: get system
debug2: channel 0: request exec confirm 0
debug2: callback done
debug2: channel 0: open confirm rwindow 2048 rmax 1024
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug2: channel 0: rcvd close
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.2 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 1

The situation is as follows.

I have a multiuser desktop machine with Debian Linux 6.0 and an ATI videocard with one monitor connected. I have root access to it. There can be several KDE sessions started, like this:

$ w
 21:51:30 up ? days,  4:22,  ? users,  load average: 1.72, 1.68, 1.67
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
u1       pts/0    :0               Sat18    4days  0.00s 11.68s kdeinit4: kded4 [kdeinit]                      
u2       pts/5    :1               Mon17    2days  0.00s  6.65s kdeinit4: kded4 [kdeinit]                      

So, two virtual terminals are in use, tty7 and tty8:

$ ps aux|grep /usr/bin/[X]
root      2944  3.1 12.4 670040 1019904 tty7   Ss+  Aug27 187:52 /usr/bin/X :0 vt7 -br -nolisten tcp -auth /var/run/xauth/A:0-??????
root      5507  0.9  3.7 425136 309676 tty8    Ss+  Aug29  29:38 /usr/bin/X :1 vt8 -br -nolisten tcp -auth /var/run/xauth/A:1-??????

But of course only one of them is active at any given moment, i.e. displayed on the monitor. Someone sitting at the keyboard can switch between them using Ctrl+Alt+F[78]

So, I connect via ssh from a remote host. I need to know which X DISPLAY is active now. Is it possible? I have googled all over the place and can't find the answer.

I am trying to connect to my server using

ssh [email protected] -vv

I get

debug1: read_passphrase: can't open /dev/tty: No such device or address

error or just

Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).

when I do not use the -vv option.

/dev/tty file does exist. I am logged in as root, so I have access to it. tty command returns

/dev/console

I am remotely connected (using Putty) to the server, and I am trying to connect to that from another server. It is not a cron job. How can I solve the problem?

I want to be able to launch screen sessions on remote servers from a single ssh command on my desktop. However, screen seems to need a terminal, which is not available when running a command through ssh.

So the obvious

ssh [email protected] screen "tail -f /var/log/messages"

(as an example) does not work, and gives

Must be connected to a terminal.

I want ssh to launch the command under a screen so I can log in later and attach as I would to a screen session I would have launched manually.