How to monitor ssh connection

davidlu766 · 04-28-2010, 07:22 PM

Hi,

I will be hiring Linux freelancers very soon to do some work on my Linux Centos 5 machine. And I need a way to see what he's doing on my computer over ssh, now I don't mean me reading the logs, I meaning seeing what he's doing in realtime (kind of like vnc, but except the freelancer will only use ssh to do his work and not on the desktop environment.)

dxqcanada · 04-28-2010, 07:46 PM

Not easily.

SSH sessions are encrypted.
You would have to crack the encryption key to decipher the data.

All you would be able to see with a network trace is the source and destination host IP address and port (which most likely be TCP 22).

You should be able to see some things by monitoring your logs and process' that they might start.

davidlu766 · 04-28-2010, 07:50 PM

But I have ROOT access...

dxqcanada · 04-28-2010, 07:57 PM

That does not matter.

SSH was specifically designed to be secure ... so unless your computer has the computing power to decrypt the key, all you have is just monitoring what process' the User is running and anything that is logged.

davidlu766 · 04-28-2010, 08:02 PM

Yes, but don't I already have the ssh key somewhere on the system since it's my system?

ntubski · 04-28-2010, 08:02 PM

A GNU screen multiuser session would be the commandline equivalent of VNC.

dxqcanada · 04-28-2010, 08:08 PM

The encryption key is created during the SSH session negotiation.
You will not have access to this key.

You can use some utilities that can track what a User is doing on the system ... here is one that I googled:
whowatch

chrism01 · 04-28-2010, 08:48 PM

Try http://sourceforge.net/projects/rootsh/

EG
http://forums11.itrc.hp.com/service/...readId=1002519

Quote:

Okay all I found a solution for my probblem that's working!

I simply changed the default shell for the admin user to my rootsh, and added rootsh in the /etc/shells. And then I have logging from the first second a admin user loggs in to the server until he loggs out!

unSpawn · 04-29-2010, 03:01 AM

Quote:

Originally Posted by dxqcanada

You would have to crack the encryption key to decipher the data.

Completely the wrong approach...

Quote:

Originally Posted by chrism01

Try http://sourceforge.net/projects/rootsh/

...and that's the right tool for the job.

davidlu766 · 04-29-2010, 03:04 PM

Quote:

Originally Posted by chrism01

Try http://sourceforge.net/projects/rootsh/

Is the log updated in realtime? Because I was thinking about doing "tail -f" to see what they're doing in realtime...

thanks.

unixfool · 04-29-2010, 03:10 PM

Quote:

Originally Posted by davidlu766

Quote:

Originally Posted by chrism01

Try http://sourceforge.net/projects/rootsh/

Is the log updated in realtime? Because I was thinking about doing "tail -f" to see what they're doing in realtime...

thanks.

'tail -f' on what? Visit the site for rootsh and see how the tool is supposed to work...better yet, just give it a shot. If it doesn't work for you, you can still use tail. It never hurts to at least try out a recommended tool or at least study up on it.