Logging all SSH commands from a linux Jumpbox

NOC_Ninja982134

12/12/22, 2:18 PM

I'm tasked with coming up with a solution for our NOC to implement MFA\secured access on our routers. There are caveats to doing this as TACACS\RADIUS is only supported on the MGMT interface amongst other limitations (I don't want to risk getting locked out of a router if TACACS\RADIUS is being flakey)

With that being said I think a better approach would be a jumpbox that logs all commands. Users would SSH to the jumpbox and authenticate with their AD credentials via RADIUS or something else that supports MFA.

The caveat here is:

When you SSH to the router in question all commands\responses should somehow get logged and shipped somewhere, via RADIUS accounting or otherwise. It would be the jumpbox shipping these off, perhaps there's a "special" version of SSH that does this.
They should be logged under the user that ran the commands.

0 + 8

linux

centos

radius

Michael Hampton

12/12/22, 2:25 PM

First you talk about MFA then you went straight to left field and asked about logging all commands? These don't appear to have any relation to each other. What are you actually trying to accomplish?

NOC_Ninja982134

12/12/22, 2:35 PM

A RADIUS solution will provide for hooks into MFA via the authentication piece as well as logging of all commands through the accounting piece.

Michael Hampton

12/12/22, 2:39 PM

The only command you'll normallly log is where the admin jumped off to, though. There are ways to log the whole terminal session but that's usually overly noisy, takes up massive amounts of disk, and is unlikely to be what you really need. So trying to push all that through RADIUS accounting sounds insane.

NOC_Ninja982134

12/12/22, 2:39 PM

A jumpbox where I can authenticate into it using AD\MFA that also ships all commands off somewhere, including when I use it to SSH in somewhere will suffice (logging the terminal session).

Michael Hampton

12/12/22, 2:43 PM

If you just need to log commands, [that's easy](https://serverfault.com/a/1036183/126632). You can log those and ship them off to a remote machine via any method you wish.

NOC_Ninja982134

12/12/22, 2:45 PM

But will it also log when he SSHs somewhere and the output of that. John logs into jumbox, types ls (this is logged), john ssh's into router (the ssh command is logged), john types "System reboot" (this command is ALSO logged)

Michael Hampton

12/12/22, 2:46 PM

Semantically that's terminal output. That gets a lot more complicated, and as noted in the linked question, I'm not aware of a good solution for that except for `pam_tty_audit`, which does exactly what was shown there. If you can handle that, then go for it.

NOC_Ninja982134

12/12/22, 2:52 PM

Thank you sir. I will take it from here.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Logging all SSH commands from a linux Jumpbox

TH: การบันทึกคำสั่ง SSH ทั้งหมดจาก Jumpbox ของลินุกซ์

RO: Înregistrarea tuturor comenzilor SSH dintr-un Jumpbox linux

RU: Регистрация всех SSH-команд из Linux Jumpbox

VI: Ghi nhật ký tất cả các lệnh SSH từ Jumpbox linux

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.