Coruscate5's questions -server

Coruscate5

Asked: 2020-03-29 13:24:36 +0800 CST

Record SSH commands sent to a Mac from Windows

I've got a bit of a puzzler - I am an administrator on both a Windows 10 and a Mac Catalina machine.

The Windows machine is currently running software that has a known bug - SSH commands are sent to a Mac by a large piece of .NET Software that is difficult to RE (due more to its size than complexity) over SSH. The 2 PCs are on the same network.

The SSH commands fail, but I don't know what they are. I would like to record these actions, or at least view them in some way, so I can change the behavior of the receiving end (Mac) to take the correct action (bug workaround).

Here is what I've tried to view the SSH commands:

Run Wireshark (on both sides), try to decode the Diffie-Hellman exchange via SSH keys (I don't know how this works exactly, so I'm fumbling my way through - e.g. I don't know how to use RSA keys to decode the conversation)
Try Strace - doesn't exist on Mac machines. Alternative option dtruss may work but I don't know the commands and have to bypass SIP.
Try to log SSH commands by using .bashrc auto-logging - this has now been replaced by .zprofile and .zshrc - this doesn't appear to work, and no history is left in z_history or bash_history. It works when I run interactive Terminal commands though. This may be due to commands being chained to the initial SSH command, e.g. ssh user@host SOMECOMMAND.
Run ProcMon, see if the commands are in some secret config file. Can't seem to find it.
Decompile using Reflector and dnSpy - I find some logic on how to transmit SSH commands, but no hard-coded actual commands.

What am I missing? Is there some obvious way to do this that I've overlooked?

I am relatively versed in making things work, so if I have an idea of the best path forward, then I'll focus my attention there. There just seem to be too many options in a large space to know how to proceed..

I've read there are maybe ways to do this via the sshd_config on the SSH host (Mac), but I have no idea which settings would actually work, and apparently Mac does things in a special way.

[Please feel free to move the appropriate StackExchange site, not sure which is best for this]

Record SSH commands sent to a Mac from Windows

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?