Hidden SSH login

joe.pelayo · #1 11th May 2010, 07:20 AM

Hello everybody.

I use SSH on a regular basis to log to remote machines and was wondering: is there some sort of 'stealth' mode one can use SSH as? I mean, is it possible somehow to log in to a server anonymously (so the "who" command does not reveal the user)?

Thanks,
Joe.

finnmetal · #2 11th May 2010, 09:43 AM

if pam is running it is pam that is sending the info try editing /etc/pam.d/sshd although consult the pam docu or man page before if you don't know your way around pam that well.

joe.pelayo · #3 12th May 2010, 03:20 AM

Quote:

Originally Posted by finnmetal

if pam is running it is pam that is sending the info try editing /etc/pam.d/sshd although consult the pam docu or man page before if you don't know your way around pam that well.

Thanks for the hint, I'll check it out.

Joe.

jpollard · #4 12th May 2010, 03:33 AM

Normally, the who command extracts the login information from the
/var/log/wtmp and /var/log/utmp files. These files are only updated
based on entries created from a terminal session, or an X session.

For programs that login, but do not use terminal interactions (such as
scp, rcp, daemons, cron jobs...) there are no entries created.

This means that if you use ssh to run an application remotely, then
that application will not show up in a "who" report.

Note: you must be sure that a terminal session is not started (as in
ssh -t) because that canl cause the utmp/wtmp files to be updated.

stevea · #5 12th May 2010, 03:47 AM

No - that doesn't work. sshd directly calls logwtmp which creates the record in /var/log/[wu]tmp. These records are supposed to be recorded for ALL session creation. Session creation should create a login record and there is no legitimate reason to avoid it, tho' lots of illegitimate reasons.

tkjacobsen · #6 12th May 2010, 05:42 AM

What problem are you trying to solve? Maybe a better solution exists...

joe.pelayo · #7 12th May 2010, 06:41 AM

There is no concrete problem to solve, it is just that I share access to a server with several other and would like to know if there is some option for the "ssh" command so they log in anonymously because recently I've found traces of their activity (like recently sent jobs) but don't see them 'online' with 'who'. It's not that I am trying to do something 'illegitimate', it is just that I want to know the capabilities of the system.

Thanks,
Joe.

stevea · #8 12th May 2010, 07:02 AM

who -a /var/log/wtmp
shows all the login/logout history (technically session creation, termination). Not just the current sessions.

less /var/log/secue
Will show all sorts of authenticated activity, even ones that do not rceate a session.

jpollard · #9 12th May 2010, 01:16 PM

Quote:

Originally Posted by stevea

No - that doesn't work. sshd directly calls logwtmp which creates the record in /var/log/[wu]tmp. These records are supposed to be recorded for ALL session creation. Session creation should create a login record and there is no legitimate reason to avoid it, tho' lots of illegitimate reasons.

Not by my tests:

Code:

[jesse@panther ~]$ who
jesse    tty1         2010-03-29 11:41 (:0)
jesse    pts/0        2010-04-15 17:10 (:0.0)
jesse    pts/1        2010-05-12 07:50 (:0.0)
[jesse@panther ~]$ ssh panther who
jesse@panther's password: 
jesse    tty1         2010-03-29 11:41 (:0)
jesse    pts/0        2010-04-15 17:10 (:0.0)
jesse    pts/1        2010-05-12 07:50 (:0.0)
[jesse@panther ~]$

Observe that the "who" command executed by the ssh has no tty assigned, and no session shown.

Yet, if I assign a terminal using the "-t" option I get:

Code:

jesse@panther ~]$ ssh -t panther who
jesse@panther's password: 
jesse    tty1         2010-03-29 11:41 (:0)
jesse    pts/0        2010-04-15 17:10 (:0.0)
jesse    pts/1        2010-05-12 07:50 (:0.0)
jesse    pts/2        2010-05-12 07:55 (panther)
Connection to panther closed.

Therefore, using a remote command (with no terminal/psudoterminal)
assigned does not show a login via the basic who command.

As noted by others, it IS recorded in security logs.

I have had this issue come up before - it was very desirable to observe
a particular user. What was odd was that he logged out every time an
administrator logged in. We didn't worry about it (he was an authorized
user) until another site complained about connections from that specific
machine. So we investigated... Using ssh in this manner allowed us to
observe activity not being recorded by standard audit logs.

Part of the reason this works this way is due to the way who determines
if a record exists - I believe it is in the /var/log/wtmp (though it may be
utmp) if the tty entry is null, "who" assumes it is a terminated record - and
thus not to be shown as an "active" user. The record is not removed
because the file is also used by the BSD accounting systems, which will
generate usage accounting for the session. But in this session, the tty
entry may appear multiple times, with multiple different user values, as
well as with null entries.

This is why cron doesn't show up - no controlling terminal is assigned and
entered, though BSD accounting records can be generated from other
data (/var/log/pacct). This other data also records all processes that
are/have been active in the system if the accounting subsystem has been
activated.