Wednesday, April 25, 2007

Configure ttysnoop with SSH in Suse Or Redhat Linux

This time a nice administrator tool called TTYSNOOP, it permits to watch what other persons are doing in other terminals. Usefull for security people.

1) Download openssh from
2) Uncompress it
tar zxvf openssh-4.6p1.tar.gz
3) Compile it, you have to set the "login" program that ssh has to use !
cd openssh-4.6p1
export LOGIN_PROGRAM="/sbin/foo_login"
cd openssh-4.6p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --without-zlib-version-check --with-pam --with-tcp-wrappers
make install

4) Modify the sshd_config file, should be located in /etc/ssh/sshd_config and change these variables:
PasswordAuthentication yes
UseLogin yes

Compile ttysnoop
5) Download ttysnoop from
6) tar xzvf ttysnoop-0.12d.k26.tar.gz
7) cd ttysnoop-0.12d.k26
8) make
9) make install

10) Copy the new login from ttysnoop:
cp ttysnoops /sbin/foo_login
11) This directory is not created, you have to do it:
mkdir /var/spool/ttysnoop

12) copy snooptab.dist to /etc
cp snooptab.dist /etc/snooptab

13) Edit /etc/snooptab
Comment all lines except:
* socket login /bin/login

Now you can use it:
wlamagna pts/1 16:51 0.00s 1:42 0.01s login -- wlamagna

In another terminal write this to snoop terminal 1.
#ttysnoop 1

Now you are ready to use ttysnoop :-) Please leave your comment with experiences.


Mathias said...

Hi there

Nice how-to. Thx for this.
It works really great, also if the user start vim or other programs that manipulate the screen (or its size).

Is it possible to auto-start logging when a user logs in with ssh? How would you do this? Change the C-Code of ttysnoops?

I also want to restrict some (bash built-in) commands in a chroot environment like "w" or "ps". Do you think, modifying the ttysnoops code is the right way to do this?


Walter Linux said...

Hi Matt. To auto start logging you can create a daemon that listens to some signal, for example SIGALRM. When ttysnoops loads, you can send the signal SIGALRM to the daemon, and the daemon executes the command "ttysnoop [terminal] > /tmp/bigbrother.out".

To disable "w" or "ps", you will have to play with the permissions of the files. I recommend you to create a special group for the jail and put these permissions to /usr/bin/w:

-r-xr-x--- (chmod 555 /usr/bin/w). Then chgroup the "w" binary to a group that you will give the users that should be able to run that command.

Good luck.

Mathias said...

Hi Walter

I think it's a good idea to start with a second daemon and the signal. Thank you for this hint.

Disabling the commands mentioned above worked like expected. I hope I didn't brake up some crons by doing this ;)


Anonymous said...

there is also option to move /bin/login to /bin/login.real and replace /bin/login with ttysnoops.

in this case no sshd recompilation is needed.


Anonymous said...

Janis is incorrect. That's a great way to make your system crash and not allow anyone to login.

Black said...

Well, actually, it is correct. You can do this without crashing your system. Being unable to do one thing does not mean it is not feasible. Google on my friend.

Anonymous said...

I just tried Janis' suggestion and it broke the ssh access. Recompiling sshd doesn't seem exactly risk free though.


Anonymous said...

I tried Janis' trick and had a big scare, but I got my box back with:

ssh root@server "cp -f /bin/login.real /bin/login"

adrian said...

Why recompile sshd when recompiling ttysnoop is so much simpler:

Walt3r said...

Thanks for sharing.