What is the different ssh remotehost with ssh remote host with command?

[ballack67]

Hi Michael!
I have a problem that I wonder  . I installed and configured OpenSSH to can remote connect to other nodes through ssh without prompt authentication. But have a problem that I wonder when I ssh from local host to remote host with command, I can't see information about localhost at remote host. I'll illustrate what i said:
    - At oltpn4c ( 10.0.91.62):
        sysopr1@oltpn4c:/home/sysopr1>date
        Tue Jun 19 09:52:34 GMT+07:00 2012
        sysopr1@oltpn4c:/home/sysopr1>ssh icapp2 ls -al
total 624696
drwxr-xr-x    9 sysopr1  staff          4096 Jun 18 13:39 .
drwxr-xr-x    9 bin      bin             256 Jun 29 2011  ..
-rw-r--r--    1 sysopr1  staff            11 Sep 21 2009  .mh_profile
-rw-r--r--    1 sysopr1  staff           557 Jun 18 16:03 .profile
-rw-r--r--    1 sysopr1  staff            16 May 12 2010  .rhosts
-rw-------    1 sysopr1  staff         10080 Jun 19 09:25 .sh_history
drwxr-xr-x    2 sysopr1  staff           256 Jun 18 10:47 .ssh
-rw-------    1 sysopr1  staff           524 Jun 18 16:58 .vi_history
    - At icapp2( 10.0.91.82):
        <icapp2:/home/sysopr1>date
        Tue Jun 19 09:53:52 THAIST 2012
        <icapp2:/home/sysopr1>last|pg
sysopr1   pts/3        10.0.95.26             Jun 19 09:53   still logged in
sysopr2   pts/4        10.0.84.59             Jun 19 09:37   still logged in
sysopr2   pts/4        10.0.84.59             Jun 19 09:36 - 09:37  (00:00)
sysopr2   pts/3        10.0.84.59             Jun 19 09:29 - 09:36  (00:07)
sysopr1   pts/1        10.0.95.9              Jun 19 09:25   still logged in
sysopr2   pts/2        10.0.96.189            Jun 19 09:04   still logged in

* Question1: Don't see log about ipaddress oltpn4c? Why? How to see it?

But it'll appear when I just do ssh icapp2.
    -At oltpn4c:
    sysopr1@oltpn4c:/home/sysopr1>ssh icapp2
    - At icapp2:
    <icapp2:/home/sysopr1>last|pg
        sysopr1   pts/5        10.0.91.62             Jun 19 09:57   still logged in
* Question 2: What is the different between ssh icapp2 with ssh icapp2 ls -al ( or other command) command?

[Michael]

When you add a command you do not actually "login". (i.e., you do not get a "shell" prompt, i.e. whatever program is configured as you shell). You are merely authenticating with the remote server and requesting the output of a command that gets executed using your verified credentials.

[ballack67]

Hi Michael!
How to show log with ssh remote host add command? It's important cause if someone execute a command from localhoste to remote host, we can monitor to know who do this.

[Michael]

I'll have to do some research.
Assuming ssh has logging built-in, I expect it to be something in the syslog outputs.

From memory, I believe ssh is writing "logins" to both the mail and auth syslog message queues.

However, my guess is that sshd does not log commands run.

The alternative will be to see what audit can catch and how that needs to be setup.

  nice question!

[Michael]

I downloaded the source to openssh from openssh.org and see that there are MANY syslog messages that could be sent - however, most of these have to do with reporting different kinds of errors, not commands executed.

What I do see is that it sshd is using both "auth" and "security" logs.

FYI: in /etc/syslog.conf I have the following entry:
*.debug;local4.none /var/log/syslog/debug.log # Touch file and refresh syslogd"

And a excerpt of the output is:
Aug  8 12:11:37 x054 auth|security:info sshd[3604484]: Accepted publickey for realuser from 192.168.129.20 port 1709 ssh2
Aug  8 12:11:59 x054 auth|security:info sshd[3604498]: Accepted publickey for realuser from 192.168.129.20 port 1711 ssh2
Aug  8 12:16:56 x054 daemon:info named[2556026]: Cleaned cache of 33 RRsets
Aug  8 12:16:56 x054 daemon:info named[2556026]: USAGE 1344421016 1342174618 CPU=17673.5u/8665.12s CHILDCPU=0u/0s
Aug  8 12:16:56 x054 daemon:info named[2556026]: NSTATS 1344421016 1342174618 A=18528 NS=1 PTR=9188 MX=249 TXT=25064966 AAAA=5702 SRV=13 ANY=136437079
Aug  8 12:16:56 x054 daemon:info named[2556026]: XSTATS 1344421016 1342174618 RR=50269 RNXD=4868 RFwdR=18709 RDupR=1 RFail=142 RFErr=799 RErr=3406 RAXFR=0 RLame=37 ROpts=0 SSysQ=14054 SAns=161486937 SFwdQ=20335 SDupQ=14158 SErr=0 RQ=161536349 RIQ=0 RFwdQ=20335 RDupQ=43176 RTCP=981 SFwdR=18709 SFail=2 SFErr=0 SNaAns=161456194 SNXD=96005 RUQ=0 RURQ=0 RUXFR=0 RUUpd=0
Aug  8 12:51:58 x054 auth|security:info sshd[5898424]: Invalid user fakeuser from 192.168.129.20
Aug  8 12:51:58 x054 auth|security:info syslog: ssh: failed login attempt for UNKNOWN_USER from felt20.xfeltx.nl
Aug  8 12:52:03 x054 auth|security:info sshd[5898424]: Failed password for invalid user fakeuser from 192.168.129.20 port 1799 ssh2
Aug  8 12:52:03 x054 auth|security:info syslog: ssh: failed login attempt for UNKNOWN_USER from felt20.xfeltx.nl
Aug  8 12:52:03 x054 user:info syslog: 127.0.0.1 host 192.168.129.20: gateway 127.0.0.1
Aug  8 12:52:13 x054 auth|security:info sshd[5898424]: Failed password for invalid user fakeuser from 192.168.129.20 port 1799 ssh2
Aug  8 12:52:13 x054 auth|security:info syslog: ssh: failed login attempt for UNKNOWN_USER from felt20.xfeltx.nl
Aug  8 12:52:18 x054 auth|security:info sshd[5898424]: Failed password for invalid user fakeuser from 192.168.129.20 port 1799 ssh2
Aug  8 12:52:18 x054 auth|security:info syslog: ssh: failed login attempt for UNKNOWN_USER from felt20.xfeltx.nl
Aug  8 12:53:04 x054 user:info syslog: 127.0.0.1 host 192.168.129.20: gateway 127.0.0.1
Aug  8 12:53:41 x054 auth|security:info sshd[6488212]: Login restricted for bin: 3004-302 Your account has expired; please see the system administrator.
Aug  8 12:53:41 x054 auth|security:info sshd[6488212]: Failed password for invalid user bin from 206.183.111.103 port 38574 ssh2
Aug  8 12:53:41 x054 auth|security:info syslog: ssh: failed login attempt for bin from ts511.rapidns.com

The successful entries (at top) were from the following command from a cmd.exe prompt:
ssh2 realuser@192.168.129.54 date

And - new entries - when going to a command prompt are:
Aug  8 13:55:06 x054 auth|security:info sshd[4587622]: Accepted publickey for realuser from 192.168.129.20 port 1990 ssh2
Aug  8 13:55:36 x054 auth|security:info sshd[5570608]: Received disconnect from 192.168.129.20: 11: Disconnect requested by Windows SSH Client.


In short, looks like some code changes needed to get the actual commands logged - or audit.
I'll look into using audit later.