I am working on a software for log file analysis, and one of the ideas is to identify active sessions on a system so the software can warn if something is running as a user on a system when that user is not logged in. Here is a typical log output from sshd (the portable version) on my Linux server: Nov 20 12:00:42 ptrace sshd[27769]: Accepted publickey for leitner from [ip] port 41122 ssh2: ED25519 [fingerprint] Nov 20 12:00:51 ptrace sshd[27773]: Received disconnect from [ip]: 11: disconnected by user Note how there is insufficient information here to link these two log entries. The PID of sshd is different, and the IP alone is not sufficient to link the entry. There could be more than one login from that IP. Adding the user name that is disconnecting would help, but it would still be more of a heuristic than a real link. Suggestion: Add the port to the disconnect message. Or make sure both the accept and disconnect messages come from the same PID. Or put a unique session ID in the messages so collation is possible. Or all of the above :-) Note that the problem goes away if you use PAM, because PAM does additional logging on top of what sshd does. However, PAM is not mandatory (I don't use PAM here), and I think it should be possible to do this kind of analysis even without PAM. Otherwise why do we have sshd logs in the first place?
Created attachment 2765 [details] include port number in more places Loglevel=verbose already gives you most of the information you want: Dec 11 13:26:53 fuyu sshd[14096]: Connection from 203.217.30.82 port 36726 on 203.217.30.81 port 22 Dec 11 13:26:54 fuyu sshd[14096]: Postponed publickey for djm from 203.217.30.82 port 36726 ssh2 [preauth] Dec 11 13:26:58 fuyu sshd[14096]: Accepted publickey for djm from 203.217.30.82 port 36726 ssh2: ECDSA SHA256:LmoNaxGFFurT6S2Q67RFuuxIq4is0rVLLdkt6Qgvy66E Dec 11 13:26:58 fuyu sshd[14096]: User child is on pid 17347 Dec 11 13:26:58 fuyu sshd[17347]: Starting session: shell on ttyp2 for djm from 203.217.30.82 port 36726 Dec 11 13:27:13 fuyu sshd[17347]: Received disconnect from 203.217.30.82: 11: disconnected by user Dec 11 13:27:13 fuyu sshd[17347]: Disconnected from 203.217.30.82 That being said, we could include the port in disconnect messages.
Comment on attachment 2765 [details] include port number in more places ok, but I think we should also explicitly cache these values as early as practical (ie just after accept, and just after the inetd/reexec handling) to minimise the chance they'll vanish by the time they're needed.
The caching is already triggered as soon as the packet code is informed of the connection fds. See https://anongit.mindrot.org/openssh.git/tree/packet.c?id=39736be06c#n298 Anyway, patch is applied - this will be in OpenSSH 7.2. It looks like this now: Dec 11 14:28:29 fuyu sshd[15956]: Connection from 203.217.30.82 port 38485 on 203.217.30.81 port 22 Dec 11 14:28:30 fuyu sshd[15956]: Postponed publickey for djm from 203.217.30.82 port 38485 ssh2 [preauth] Dec 11 14:28:32 fuyu sshd[15956]: Accepted publickey for djm from 203.217.30.82 port 38485 ssh2: ECDSA SHA256:LmoNaxGFFurT6S2Q67RFuuxIq4is0rVLLdkt6Qgvy66E Dec 11 14:28:32 fuyu sshd[15956]: User child is on pid 26320 Dec 11 14:28:32 fuyu sshd[26320]: Starting session: shell on ttyp3 for djm from 203.217.30.82 port 38485 Dec 11 14:28:38 fuyu sshd[26320]: Received disconnect from 203.217.30.82 port 38485:11: disconnected by user Dec 11 14:28:38 fuyu sshd[26320]: Disconnected from 203.217.30.82 port 38485
Close all resolved bugs after 7.3p1 release