Fedora Linux Support Community & Resources Center
  #1  
Old 11th May 2010, 07:20 AM
joe.pelayo Offline
An ape descendant
 
Join Date: Dec 2006
Location: Mexico City
Age: 30
Posts: 3,105
linuxsafari
Question Hidden SSH login

Hello everybody.

I use SSH on a regular basis to log to remote machines and was wondering: is there some sort of 'stealth' mode one can use SSH as? I mean, is it possible somehow to log in to a server anonymously (so the "who" command does not reveal the user)?

Thanks,
Joe.
__________________
Notebook: Acer Aspire 5536-5112.
AMD Athlon X2 QL64 @ 2.1GHz, 4GB DDR2 PC2-5300, ATI Radeon HD3200 (256MB), 250GB Toshiba HDD, HL-DT-ST DVDRAM GT20N
Windows 7 Professional, Fedora 20 x86_64
Reply With Quote
  #2  
Old 11th May 2010, 09:43 AM
finnmetal Offline
Registered User
 
Join Date: Oct 2009
Posts: 15
linuxfedorafirefox
Re: Hidden SSH login

if pam is running it is pam that is sending the info try editing /etc/pam.d/sshd although consult the pam docu or man page before if you don't know your way around pam that well.
Reply With Quote
  #3  
Old 12th May 2010, 03:20 AM
joe.pelayo Offline
An ape descendant
 
Join Date: Dec 2006
Location: Mexico City
Age: 30
Posts: 3,105
linuxsafari
Re: Hidden SSH login

Quote:
Originally Posted by finnmetal View Post
if pam is running it is pam that is sending the info try editing /etc/pam.d/sshd although consult the pam docu or man page before if you don't know your way around pam that well.
Thanks for the hint, I'll check it out.

Joe.
__________________
Notebook: Acer Aspire 5536-5112.
AMD Athlon X2 QL64 @ 2.1GHz, 4GB DDR2 PC2-5300, ATI Radeon HD3200 (256MB), 250GB Toshiba HDD, HL-DT-ST DVDRAM GT20N
Windows 7 Professional, Fedora 20 x86_64
Reply With Quote
  #4  
Old 12th May 2010, 03:33 AM
jpollard Offline
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,898
linuxfedorafirefox
Re: Hidden SSH login

Normally, the who command extracts the login information from the
/var/log/wtmp and /var/log/utmp files. These files are only updated
based on entries created from a terminal session, or an X session.

For programs that login, but do not use terminal interactions (such as
scp, rcp, daemons, cron jobs...) there are no entries created.

This means that if you use ssh to run an application remotely, then
that application will not show up in a "who" report.

Note: you must be sure that a terminal session is not started (as in
ssh -t) because that canl cause the utmp/wtmp files to be updated.

Last edited by jpollard; 12th May 2010 at 03:35 AM.
Reply With Quote
  #5  
Old 12th May 2010, 03:47 AM
stevea Offline
Registered User
 
Join Date: Apr 2006
Location: Ohio, USA
Posts: 9,041
linuxfedorafirefox
Re: Hidden SSH login

No - that doesn't work. sshd directly calls logwtmp which creates the record in /var/log/[wu]tmp. These records are supposed to be recorded for ALL session creation. Session creation should create a login record and there is no legitimate reason to avoid it, tho' lots of illegitimate reasons.
__________________
None are more hopelessly enslaved than those who falsely believe they are free.
Johann Wolfgang von Goethe

Last edited by stevea; 12th May 2010 at 03:52 AM.
Reply With Quote
  #6  
Old 12th May 2010, 05:42 AM
tkjacobsen Offline
Registered User
 
Join Date: Dec 2008
Posts: 13
linuxsafari
Re: Hidden SSH login

What problem are you trying to solve? Maybe a better solution exists...
Reply With Quote
  #7  
Old 12th May 2010, 06:41 AM
joe.pelayo Offline
An ape descendant
 
Join Date: Dec 2006
Location: Mexico City
Age: 30
Posts: 3,105
linuxsafari
Re: Hidden SSH login

There is no concrete problem to solve, it is just that I share access to a server with several other and would like to know if there is some option for the "ssh" command so they log in anonymously because recently I've found traces of their activity (like recently sent jobs) but don't see them 'online' with 'who'. It's not that I am trying to do something 'illegitimate', it is just that I want to know the capabilities of the system.

Thanks,
Joe.
__________________
Notebook: Acer Aspire 5536-5112.
AMD Athlon X2 QL64 @ 2.1GHz, 4GB DDR2 PC2-5300, ATI Radeon HD3200 (256MB), 250GB Toshiba HDD, HL-DT-ST DVDRAM GT20N
Windows 7 Professional, Fedora 20 x86_64
Reply With Quote
  #8  
Old 12th May 2010, 07:02 AM
stevea Offline
Registered User
 
Join Date: Apr 2006
Location: Ohio, USA
Posts: 9,041
linuxfedorafirefox
Re: Hidden SSH login

who -a /var/log/wtmp
shows all the login/logout history (technically session creation, termination). Not just the current sessions.

less /var/log/secue
Will show all sorts of authenticated activity, even ones that do not rceate a session.
__________________
None are more hopelessly enslaved than those who falsely believe they are free.
Johann Wolfgang von Goethe
Reply With Quote
  #9  
Old 12th May 2010, 01:16 PM
jpollard Offline
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,898
linuxfedorafirefox
Re: Hidden SSH login

Quote:
Originally Posted by stevea View Post
No - that doesn't work. sshd directly calls logwtmp which creates the record in /var/log/[wu]tmp. These records are supposed to be recorded for ALL session creation. Session creation should create a login record and there is no legitimate reason to avoid it, tho' lots of illegitimate reasons.
Not by my tests:

Code:
[jesse@panther ~]$ who
jesse    tty1         2010-03-29 11:41 (:0)
jesse    pts/0        2010-04-15 17:10 (:0.0)
jesse    pts/1        2010-05-12 07:50 (:0.0)
[jesse@panther ~]$ ssh panther who
jesse@panther's password: 
jesse    tty1         2010-03-29 11:41 (:0)
jesse    pts/0        2010-04-15 17:10 (:0.0)
jesse    pts/1        2010-05-12 07:50 (:0.0)
[jesse@panther ~]$
Observe that the "who" command executed by the ssh has no tty assigned, and no session shown.

Yet, if I assign a terminal using the "-t" option I get:
Code:
jesse@panther ~]$ ssh -t panther who
jesse@panther's password: 
jesse    tty1         2010-03-29 11:41 (:0)
jesse    pts/0        2010-04-15 17:10 (:0.0)
jesse    pts/1        2010-05-12 07:50 (:0.0)
jesse    pts/2        2010-05-12 07:55 (panther)
Connection to panther closed.
Therefore, using a remote command (with no terminal/psudoterminal)
assigned does not show a login via the basic who command.

As noted by others, it IS recorded in security logs.

I have had this issue come up before - it was very desirable to observe
a particular user. What was odd was that he logged out every time an
administrator logged in. We didn't worry about it (he was an authorized
user) until another site complained about connections from that specific
machine. So we investigated... Using ssh in this manner allowed us to
observe activity not being recorded by standard audit logs.

Part of the reason this works this way is due to the way who determines
if a record exists - I believe it is in the /var/log/wtmp (though it may be
utmp) if the tty entry is null, "who" assumes it is a terminated record - and
thus not to be shown as an "active" user. The record is not removed
because the file is also used by the BSD accounting systems, which will
generate usage accounting for the session. But in this session, the tty
entry may appear multiple times, with multiple different user values, as
well as with null entries.

This is why cron doesn't show up - no controlling terminal is assigned and
entered, though BSD accounting records can be generated from other
data (/var/log/pacct). This other data also records all processes that
are/have been active in the system if the accounting subsystem has been
activated.
Reply With Quote
Reply

Tags
hidden, login, ssh

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
hidden files bigmacbb63 Using Fedora 1 9th July 2009 09:20 AM
Fix for hidden taskbar bug... jdwash11 Using Fedora 0 17th February 2008 07:18 PM
titlebar hidden yonnieboy Installation, Upgrades and Live Media 1 5th December 2007 10:32 PM
after upgrade to F8 only X-login, but failing to login, returns to login screen angro Installation, Upgrades and Live Media 1 26th November 2007 09:12 PM
Hidden Files in KDE sammyd253 Using Fedora 3 29th June 2006 08:31 PM


Current GMT-time: 08:34 (Monday, 22-12-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
...The Top of Bukhansan Mt. - McDonald's - University of Bologna Travel Photos on Instagram - Shimo-Kitazawa Station