Bug 1552 - Patch to log tunnel information
Summary: Patch to log tunnel information
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 5.1p1
Hardware: All All
: P2 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-01-31 08:20 AEDT by jblaine
Modified: 2013-10-24 11:08 AEDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description jblaine 2009-01-31 08:20:53 AEDT 
First, all credit to Vladimir Parkhaev as this is his code.  He may have
submitted this before for all I know, but I for one definitely would like
to see this end up in the codebase, so I'm submitting it.

*** openssh-5.1p1/serverloop.c  Fri Jul  4 09:10:49 2008
--- openssh-5.1p1-RCFHACKS/serverloop.c Thu Jan 29 08:56:11 2009
***************
*** 957,962 ****
--- 957,968 ----
        c = channel_connect_to(target, target_port,
            "direct-tcpip", "direct-tcpip");

+     if (c == NULL){
+         verbose("Tunnel denied: user '%s' from %s to %s:%d",
the_authctxt->user, get_remote_ipaddr(), target, target_port);
+     } else {
+         verbose("Tunnel opened: user '%s' from %s to %s:%d",
the_authctxt->user, get_remote_ipaddr(), target, target_port);
+     }
+
        xfree(originator);
        xfree(target);
Comment 1 Darren Tucker 2009-07-31 11:38:41 AEST 
we should look at this for 5.4
Comment 2 Damien Miller 2009-11-10 13:28:34 AEDT 
logging all port forwards would be noisy even for verbose. I think a better way to do this would be to:

1) make AllowTcpForwarding a tri-state, with value 2 meaning "allow, but log". Server admins could turn it on for verbose logging for forwarding activity

2) Add a verbose() call to channel_connect_to(). This will catch both ssh1 and ssh2 cases. 

3) We would also need to explicitly log requests of -R port forwardings and tunnel forwards for consistency.
Comment 3 Damien Miller 2010-08-10 04:23:59 AEST 
Upstream has locked already, so we will look at this in 5.7
Comment 4 Damien Miller 2011-01-24 12:30:54 AEDT 
Retarget unclosed bugs from 5.7=>5.8
Comment 5 Damien Miller 2011-09-06 10:34:23 AEST 
Retarget unresolved bugs/features to 6.0 release
Comment 6 Damien Miller 2011-09-06 10:36:34 AEST 
Retarget unresolved bugs/features to 6.0 release
Comment 7 Damien Miller 2011-09-06 10:39:10 AEST 
Retarget unresolved bugs/features to 6.0 release

(try again - bugzilla's "change several" isn't)
Comment 8 Damien Miller 2012-02-24 10:34:32 AEDT 
Retarget from 6.0 to 6.1
Comment 9 Damien Miller 2012-02-24 10:38:12 AEDT 
Retarget 6.0 => 6.1
Comment 10 Damien Miller 2012-09-07 11:38:28 AEST 
Retarget uncompleted bugs from 6.1 => 6.2
Comment 11 Damien Miller 2012-09-07 11:40:49 AEST 
Retarget bugs from 6.1 => 6.2
Comment 12 Damien Miller 2013-03-08 10:24:22 AEDT 
retarget to openssh-6.3
Comment 13 Damien Miller 2013-07-25 12:18:20 AEST 
Retarget to openssh-6.4
Comment 14 Damien Miller 2013-07-25 12:21:23 AEST 
Retarget 6.3 -> 6.4
Comment 15 Damien Miller 2013-10-24 10:59:35 AEDT 
This needs more design and probably a new configuration item, since AllowTCPForwarding has already grown options beyond 'yes' and 'no'. Maybe a "LogForwarding yes|no|local|remote|tunnel"

Detargetting from a release until we come up with something concrete.
Comment 16 Darren Tucker 2013-10-24 11:08:38 AEDT 
I can see this kind of thing coming up for logging other things too.

How about an option like

Logging forwarding,commands,thing,otherthing,...

which internally is a bit vector.

We'd have to annotate some logging calls with what kind of info they're logging, but once that's done the logging infrastructure can log at normal logging level (if you care about it) or debug3 (if you don't).