features discussions

[sabban]

Hi, I tried sshportal, and did a little homework to try understand how it's working. I am really happy with the smart way it handles the jumps login avoiding the burden of the "ProxyCommand" things.

If I am not wrong, the remote session on the remote host server are not audited. If you are interested in such a feature I am already working on it, the idea is to provide a logfile for each session that could be read by something like ttyrec. I would be happy to provided a patch for this.

Moreover there's one last thing we may need here, it's the tunnel feature from ssh (tunnels invoked by -L or -R options in ssh). And we would like it logged (I thought about a pcap file for that). What is your opinion about this ?

What are you thinking about all this ?

Thank you for your work on sshportal !

[moul]

Hi @sabban, thank you for this kind message and your other PRs, this is exactly what I love in the OSS ecosystem. 😊

If I am not wrong, the remote session on the remote host server is not audited. If you are interested in such a feature I am already working on it; the idea is to provide a logfile for each session that could be read by something like ttyrec. I would be happy to provide a patch for this.

They are currently only logged as basic events: start/stop time, user, host (available with session ls command)

I also wanted to record the full TTY session; I would love a patch (let me know if you need some help)

That looks interesting:

• https://github.com/arkan/bastion/blob/master/pkg/logchannel/logchannel.go
• https://github.com/arkan/bastion/blob/master/main.go#L73-L93

Moreover there's one last thing we may need here, it's the tunnel feature from ssh (tunnels invoked by -L or -R options in ssh). And we would like it logged (I thought about a pcap file for that). What is your opinion about this?

I didn't think about this one, but it follows the main idea of sshportal, pcap is standard, so a good idea too

From what I see, there were already some work done for the local forward (see https://github.com/gliderlabs/ssh/pull/38), if it is usable, it looks easy to add the remote forward feature on gliderlabs/ssh

I will look after the Xmas dinner digestion

Thank you again :+1:

[sabban]

Yes, this sounds promising :)

I will continue working on this after New Year's Eve !

[sabban]

Hi, I use this thread to ask your advice on sftp session auditing. I you prefer I can open a new issue.

sftp sessions are audited, but audit log is not that useful, as the format is not like usual sessions. Sftp use the secure channel to its own protocol. We can improve something as the created channel should contain "subsystem sftp" in newChan.ExtraData, but this seems to be rather complicated, as we have to handle each different sftp request. https://filezilla-project.org/specs/draft-ietf-secsh-filexfer-02.txt

The ideas that came to my mind are:

• log raw sftp requests with a new audit package
• create a whole abstraction to understand sftp protocol. This is a lot work and may be out of the scope of the project.
• implement an independant tool to re-build the whole sftp session from the actual audit file. I would have you thoughts on this topics, before implementing something.

[moul]

Logging raw sftp requests seem the best choice for now, in term of forensic, it's not the easier to use solution but at least it won't miss anything

I'm for handling sftp natively later, but I prefer to wait a little bit more to see how gliderslabs/ssh will handle this: https://github.com/gliderlabs/ssh/search?q=sftp&type=Issues&utf8=%E2%9C%93

[moul]

Closing the issue as I plan to work on the v2 of this project and I need to make some cleanup in the issues see #210