# Recording SSH session



## bbzz (Jun 20, 2014)

In my attempt to provide a solution where SSH session for a user needs to be recorded, I found out that
`$ssh name@ip | tee file.log`
works well.

The issue is, how to make sure when user types in *ssh name@ip* is recorded to file. I could change users login shell so that regular command is replaced with the above. But then how to stop user from seeing/changing this? Any ideas?


----------



## obsigna (Jun 20, 2014)

bbzz said:
			
		

> In my attempt to provide a solution where SSH session for a user needs to be recorded, I found out that
> `$ssh name@ip | tee file.log`
> works well.
> 
> The issue is, how to make sure when user types in *ssh name@ip* is recorded to file. I could change users login shell so that regular command is replaced with the above. But then how to stop user from seeing/changing this? Any ideas?



Hidden key-logging is in most of the countries in the world in most of the cases forbidden, unless you got a judicial search decision.

You need to inform the users that their ssh-sessions are logged anyway, so there is no need to hide this. In order to prevent a regular user from changing back the login shell, restrict the respective permissions.


----------



## bbzz (Jun 21, 2014)

I'm glad you are making sure the world is working as intended.

Seriously though, we need a way to log user activity, which all users are aware of. We want to make sure, however, that no user can change these logs.

My original intent was posted here, http://forums.freebsd.org/viewtopic.php?f=3&t=45298, and while suggestions were great, it just doesn't work properly, unfortunately.

Then, just by accident I read on one of Linux forums that similar requests were already made, and a simple suggestion to use tee was absolutely amazing and incredibly simple at the same time. And made me sad nobody on these forums could suggest that. In any case, to make this workable, I still need a way to make sure this command is ran every time user logs in, and to make logs writable but not readable by users. These are not tech-savy users, so a less than perfect solution is fine. 

Any suggestion is more than welcome.

Regards


----------



## obsigna (Jun 21, 2014)

bbzz said:
			
		

> I'm glad you are making sure the world is working as intended.



Most people care about rights, some do not. Idiots laugh about it. So what?


----------



## storvi_net (Jun 21, 2014)

Hello @bbzz,

As stated before - the situation by law is full information of the users, that the session is recorded.

For a probably effective solution try this tool: http://www.freshports.org/misc/ttyrec

You have to think about the "kind" of user. Does the user need additional rights on the target system? If yes you need to implement kind of a jumpbox before, where the user is restricted as much as possible, so that the recording could not be overrided.

Regards
Markus


----------



## bbzz (Jun 21, 2014)

I found the solution in a way of security/sudosh2. It's an amazingly simply solution, and does exactly what I need. Take a look at it, I'm sure it's mostly unknown.

Regards!


----------



## storvi_net (Jun 21, 2014)

I am not an expert, but there is a note which says: 

```
DEPRECATED: Funcition replaced by sudo -s
EXPIRATION DATE: 2014-07-01
```

Regards
Markus


----------



## segfault (Jun 22, 2014)

Not sure if you are saying you want a user's actions recorded once they ssh IN to your machane, or you want to record them when they ssh OUT. If it's the first, then couldn't you just run any commands/scripts from the /etc/profile file? It is read when a user's shell is started up I believe. Users wouldn't have rights to change that. For the second situation (user ssh-ing OUT) you could use an alias command maybe in the same file.


----------



## bhughes (Jun 23, 2014)

`man 1 script`?


----------

