Fwd: Re: Contribution

Sat, 6 Jul 2002 09:56:28 -0700

--------------Boundary-00=_427UY5BPZ0ZIAEKKLVYH
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

An interesting look into forensic computing . . . 

(note:  this document was originally in PDF format but because I had trouble opening it, the 
author graciously converted it to HTML)

- ----------  Forwarded Message  ----------
Subject: Re: Contribution
Date: Fri, 05 Jul 2002 14:59:55 -0700
From: Imre Kertesz <ikertesz@fastq.com>
To: Jim <farli@unitywave.com>

I have included the document in HTML format.

Jim wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> no luck again - sorry
>
> On Friday 05 July 2002 12:14, you wrote:
> > Let me try this without the digital sig. That sometimes causes problems.
> > If not, I will convert it to the standard HOWTO HTML format.
> >
> > -I
> >
> > Jim wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > I was unable to open your pdf file either directly or after saving it
> > > locally.  Is it possible to convert the file to ascii or html or some
> > > other non-proprietary data format?
> > >
> > > On Friday 05 July 2002 10:42, you wrote:
> > > > Folks,
> > > >
> > > > I don't know who to contact since I am not even new to the group so
> > > > here I am. I am submitting a HOWTO that I did yesterday on
> > > > integrating the ttysnoop session monitoring utility with OPENSSH.
> > > > Very handy for forensic purposes or just good network vigilance.
> > > >
> > > > Also, I plan to attend the next PLUG group meeting and have a huge
> > > > bag of topics that I could present - depends upon the crowd, though.
> > > > A couple of them are Linux-based Everquest session monitoring
> > > > utilities (for the Everquest enthusiasts - always causes jaws to
> > > > drop) or for the more advanced crowd, building distributed cracking
> > > > clusters with Linux for on-the-fly 40-bit SSL crackage (a little more
> > > > dangerous and intended for "white hat" users). I have other
> > > > interesting presentations - depends on the crowd. Please let me know
> > > > if there is any interest.
> > > >
> > > > Thanks - I

- --

- -ท ท ททท- ท ท-ท ท--ท ท - ท- -ททท ทท- ท-ท -ท ทท -ท --ท -ทท --- --ท
"If you sit quietly at the edge of a river, eventually
you will see the bodies of your enemies float by"
- -A maxim of patience, author unknown

Imre Kertesz
480.363.1492
PGP ID: 0x1C1E5054

- -------------------------------------------------------

- -- 
Jim

Freedom is worth protecting

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBPSchPisk3ywszI1FEQKDiACgqylY4nUgi3a7bTL3ZUpNd3JWr8AAoOhd
2wYDEU9MJHe8ezrVVj6fxY4r
=XtuY
-----END PGP SIGNATURE-----

--------------Boundary-00=_427UY5BPZ0ZIAEKKLVYH
Content-Type: text/html;
  charset="iso-8859-1";
  name="HOWTO OPENSSH with TTYSNOOP.htm"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline;
 filename="HOWTO OPENSSH with TTYSNOOP.htm"

<html xmlns:v="urn:schemas-microsoft-com:vml"
xmlns:o="urn:schemas-microsoft-com:office:office"
xmlns:w="urn:schemas-microsoft-com:office:word"
xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1252">
<meta name=ProgId content=Word.Document>
<meta name=Generator content="Microsoft Word 9">
<meta name=Originator content="Microsoft Word 9">
<link rel=File-List
href="./HOWTO%20OPENSSH%20with%20TTYSNOOP_files/filelist.xml">
<title>HOWTO SSH with TTYSNOOP</title>
<!--[if gte mso 9]><xml>
 <o:DocumentProperties>
  <o:Author>cyungle</o:Author>
  <o:LastAuthor>Imre Kertesz</o:LastAuthor>
  <o:Revision>2</o:Revision>
  <o:TotalTime>557</o:TotalTime>
  <o:LastPrinted>2001-03-08T07:48:00Z</o:LastPrinted>
  <o:Created>2002-07-05T21:56:00Z</o:Created>
  <o:LastSaved>2002-07-05T21:56:00Z</o:LastSaved>
  <o:Pages>3</o:Pages>
  <o:Words>915</o:Words>
  <o:Characters>5217</o:Characters>
  <o:Company>Death Tools, Inc.</o:Company>
  <o:Lines>43</o:Lines>
  <o:Paragraphs>10</o:Paragraphs>
  <o:CharactersWithSpaces>6406</o:CharactersWithSpaces>
  <o:Version>9.2720</o:Version>
 </o:DocumentProperties>
</xml><![endif]-->
<style>
<!--
 /* Font Definitions */
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;
	mso-font-charset:0;
	mso-generic-font-family:swiss;
	mso-font-pitch:variable;
	mso-font-signature:553679495 -2147483648 8 0 66047 0;}
 /* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{mso-style-parent:"";
	margin:0in;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:Tahoma;
	mso-fareast-font-family:"Times New Roman";
	mso-bidi-font-family:"Times New Roman";}
h1
	{mso-style-next:Normal;
	margin:0in;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	page-break-after:avoid;
	mso-outline-level:1;
	font-size:14.0pt;
	mso-bidi-font-size:12.0pt;
	font-family:Tahoma;
	mso-bidi-font-family:"Times New Roman";
	mso-font-kerning:0pt;}
h2
	{mso-style-next:Normal;
	margin:0in;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	page-break-after:avoid;
	mso-outline-level:2;
	font-size:10.0pt;
	mso-bidi-font-size:12.0pt;
	font-family:Tahoma;}
h3
	{mso-style-next:Normal;
	margin:0in;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	page-break-after:avoid;
	mso-outline-level:3;
	font-size:11.0pt;
	mso-bidi-font-size:12.0pt;
	font-family:Tahoma;}
p.MsoHeader, li.MsoHeader, div.MsoHeader
	{margin:0in;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	tab-stops:center 3.0in right 6.0in;
	font-size:12.0pt;
	font-family:Tahoma;
	mso-fareast-font-family:"Times New Roman";
	mso-bidi-font-family:"Times New Roman";}
p.MsoFooter, li.MsoFooter, div.MsoFooter
	{margin:0in;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	tab-stops:center 3.0in right 6.0in;
	font-size:12.0pt;
	font-family:Tahoma;
	mso-fareast-font-family:"Times New Roman";
	mso-bidi-font-family:"Times New Roman";}
p.MsoBodyText, li.MsoBodyText, div.MsoBodyText
	{margin:0in;
	margin-bottom:.0001pt;
	mso-pagination:widow-orphan;
	font-size:12.0pt;
	font-family:"Courier New";
	mso-fareast-font-family:"Times New Roman";
	font-weight:bold;
	mso-bidi-font-weight:normal;}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;
	text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;
	text-underline:single;}
p.numbered, li.numbered, div.numbered
	{mso-style-name:numbered;
	margin-top:0in;
	margin-right:0in;
	margin-bottom:0in;
	margin-left:.25in;
	margin-bottom:.0001pt;
	text-indent:-.25in;
	mso-pagination:widow-orphan;
	mso-list:l2 level1 lfo1;
	tab-stops:list .25in;
	font-size:12.0pt;
	font-family:Tahoma;
	mso-fareast-font-family:"Times New Roman";
	font-weight:bold;
	mso-bidi-font-weight:normal;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 45.0pt 1.25in;
	mso-header-margin:.5in;
	mso-footer-margin:.5in;
	mso-header:url("./HOWTO%20OPENSSH%20with%20TTYSNOOP_files/header.htm") h1;
	mso-paper-source:0;}
div.Section1
	{page:Section1;}
 /* List Definitions */
@list l0
	{mso-list-id:135686059;
	mso-list-type:hybrid;
	mso-list-template-ids:-225289394 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
	{mso-level-tab-stop:.25in;
	mso-level-number-position:left;
	margin-left:.25in;
	text-indent:-.25in;}
@list l1
	{mso-list-id:180046315;
	mso-list-type:hybrid;
	mso-list-template-ids:-480063436 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l1:level1
	{mso-level-tab-stop:.25in;
	mso-level-number-position:left;
	margin-left:.25in;
	text-indent:-.25in;}
@list l2
	{mso-list-id:521020154;
	mso-list-type:hybrid;
	mso-list-template-ids:1989055612 -785336914 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l2:level1
	{mso-level-style-link:numbered;
	mso-level-tab-stop:.25in;
	mso-level-number-position:left;
	margin-left:.25in;
	text-indent:-.25in;}
@list l3
	{mso-list-id:1878199311;
	mso-list-type:hybrid;
	mso-list-template-ids:479119750 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l3:level1
	{mso-level-tab-stop:.25in;
	mso-level-number-position:left;
	margin-left:.25in;
	text-indent:-.25in;}
ol
	{margin-bottom:0in;}
ul
	{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="2050"/>
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1"/>
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple style='tab-interval:.5in'>

<div class=Section1>

<h1><span style='mso-bidi-font-family:Tahoma;mso-bidi-font-weight:normal'>(v2.0)
HOWTO OPENSSH with TTYSNOOP <o:p></o:p></span></h1>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'>Imre Kertesz
&lt;ikertesz@metasecuritygroup.com&gt; July 2002<o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<h1><span style='mso-bidi-font-family:Tahoma'>Introduction<o:p></o:p></span></h1>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

As documented in the ttysnoop package, ttysnoop allows
snoopage of a login tty's through another tty-device or pseudo-tty. The
snoop-tty becomes a 'clone' of the original tty, redirecting both input and
output from/to it.

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

Although the ttysnoop code contains authentication
mechanisms to prevent unauthorized use, the code is not foolproof and may allow
an unauthorized user to compromise the host system in a number of ways. In
other words – Use At Your Own Risk. However, it is an extremely effective and
capable utility for what it is designed to do.

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><span
style="mso-spacerun: yes"> </span><o:p></o:p></span></p>

Although designed
and documented to function with a telnet-based tty session, this howto will
describe how to configure ttysnoop to function with OPENSSH.  I used ttysnoop v0.12d, which didn’t
appreciably change since the previous version. I used OPENSSH (version
OpenSSH_3.0.2p1) because of the widespread use of OPENSSH over commercial
products. <o:p></o:p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'>Typical scenario: <o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'>USER1 connects to
mainbase server via OPENSSH (In my test bed, I am using SecureCRT 3.0 and
ssh2).<span style="mso-spacerun: yes">  </span>ROOT notices the connection and
lists the contents of the <b style='mso-bidi-font-weight:normal'>/var/spool/ttysnoop</b>
directory to get the name of the clone ttysnoop session.<span
style="mso-spacerun: yes">  </span>ROOT runs the ttysnoop utility, using the
name of the session found in <b>/var/spool/ttysnoop</b> as an argument.<span
style="mso-spacerun: yes">  </span>ROOT is prompted for a password
(authorization to use the utility) and if authenticated, a clone of USER1’s tty
initiates.<span style="mso-spacerun: yes">  </span>All typed commands and
standard output that appear in USER1’s tty also appears in ROOT’s cloned
tty.<span style="mso-spacerun: yes">  </span>ROOT can also enter commands that
will appear and function in USER1’s tty as if USER1 had entered them.<o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<h1>Components</h1>

<p class=MsoNormal><b><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></b></p>

<table border=1 cellspacing=0 cellpadding=0 style='border-collapse:collapse;
 border:none;mso-border-alt:solid windowtext .5pt;mso-padding-alt:0in 5.4pt 0in 5.4pt'>
 <tr>
  <td width=182 valign=top style='width:136.2pt;border:solid windowtext .5pt;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b style='mso-bidi-font-weight:normal'><span
  style='mso-bidi-font-family:Tahoma'>ttysnoop<o:p></o:p></span></b></p>
  </td>
  <td width=409 valign=top style='width:306.6pt;border:solid windowtext .5pt;
  border-left:none;mso-border-left-alt:solid windowtext .5pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'>The client
  portion – the piece that is used to connect to ttysnoops <o:p></o:p></span></p>
  </td>
 </tr>
 <tr>
  <td width=182 valign=top style='width:136.2pt;border:solid windowtext .5pt;
  border-top:none;mso-border-top-alt:solid windowtext .5pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b style='mso-bidi-font-weight:normal'><span
  style='mso-bidi-font-family:Tahoma'>ttysnoops<o:p></o:p></span></b></p>
  </td>
  <td width=409 valign=top style='width:306.6pt;border-top:none;border-left:
  none;border-bottom:solid windowtext .5pt;border-right:solid windowtext .5pt;
  mso-border-top-alt:solid windowtext .5pt;mso-border-left-alt:solid windowtext .5pt;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'>The server
  portion – the piece that replaces <b style='mso-bidi-font-weight:normal'>/bin/login</b>
  as the login program <o:p></o:p></span></p>
  </td>
 </tr>
 <tr>
  <td width=182 valign=top style='width:136.2pt;border:solid windowtext .5pt;
  border-top:none;mso-border-top-alt:solid windowtext .5pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b style='mso-bidi-font-weight:normal'><span
  style='mso-bidi-font-family:Tahoma'>/etc/snooptab<o:p></o:p></span></b></p>
  </td>
  <td width=409 valign=top style='width:306.6pt;border-top:none;border-left:
  none;border-bottom:solid windowtext .5pt;border-right:solid windowtext .5pt;
  mso-border-top-alt:solid windowtext .5pt;mso-border-left-alt:solid windowtext .5pt;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'>The
  configuration file – used to define which tty’s to listen to<o:p></o:p></span></p>
  </td>
 </tr>
 <tr>
  <td width=182 valign=top style='width:136.2pt;border:solid windowtext .5pt;
  border-top:none;mso-border-top-alt:solid windowtext .5pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b style='mso-bidi-font-weight:normal'><span
  style='mso-bidi-font-family:Tahoma'>/var/spool/ttysnoop<o:p></o:p></span></b></p>
  </td>
  <td width=409 valign=top style='width:306.6pt;border-top:none;border-left:
  none;border-bottom:solid windowtext .5pt;border-right:solid windowtext .5pt;
  mso-border-top-alt:solid windowtext .5pt;mso-border-left-alt:solid windowtext .5pt;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'>The directory
  that keeps track of currently running server instances<o:p></o:p></span></p>
  </td>
 </tr>
 <tr>
  <td width=182 valign=top style='width:136.2pt;border:solid windowtext .5pt;
  border-top:none;mso-border-top-alt:solid windowtext .5pt;padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><b style='mso-bidi-font-weight:normal'><span
  style='mso-bidi-font-family:Tahoma'>sshd<o:p></o:p></span></b></p>
  </td>
  <td width=409 valign=top style='width:306.6pt;border-top:none;border-left:
  none;border-bottom:solid windowtext .5pt;border-right:solid windowtext .5pt;
  mso-border-top-alt:solid windowtext .5pt;mso-border-left-alt:solid windowtext .5pt;
  padding:0in 5.4pt 0in 5.4pt'>
  <p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'>OPENSSH server,
  specially configured<o:p></o:p></span></p>
  </td>
 </tr>
</table>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<h1>Installation of ttysnoop</h1>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=numbered><![if !supportLists]>1.<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;
</span><![endif]>Unpack the source tarball</p>

<p class=numbered style='margin-left:0in;text-indent:0in;mso-list:none;
tab-stops:.5in'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=numbered><![if !supportLists]>2.<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;
</span><![endif]>Check the authentication mechanism</p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'>In my experience
with ttysnoop, I had difficulty authenticating with the ttysnoops server when
prompted.<span style="mso-spacerun: yes">  </span>By default, ttysnoop will
query for the root password when attempting to connect to create a clone
tty.<span style="mso-spacerun: yes">  </span>According to the documentation,
this can be changed by editing the config.h file and changing the <b>#define
SNOOPUSER<span style="mso-spacerun: yes">       </span>&quot;root&quot; </b>line
to something other than root.<o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

Despite this
change, I was still unable to authenticate. 
This does not mean it won’t work for you – try it first. It may work. I
bypassed the problem by editing the ttysnoops.c
file and changing the authentication subroutine to prompt for an alternate
means of identification.  It’s not the
most secure alternative but it’s quick and it works.  <o:p></o:p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'>Snippet from <b>ttysnoops.c</b>:<o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><b><span style='font-family:"Courier New"'>#ifndef
SHADOW_PWD<o:p></o:p></span></b></p>

<p class=MsoNormal><b><span style='font-family:"Courier New"'><span
style="mso-spacerun: yes">                        </span>if (strcmp(buff,
&quot;lamer&quot;) == 0)<o:p></o:p></span></b></p>

<p class=MsoNormal><b><span style='font-family:"Courier New"'>#else<o:p></o:p></span></b></p>

<p class=MsoNormal><b><span style='font-family:"Courier New"'><span
style="mso-spacerun: yes">                        </span>if (strcmp(buff,
&quot;lamer&quot;) == 0)<o:p></o:p></span></b></p>

<p class=MsoNormal><b><span style='font-family:"Courier New"'>#endif<o:p></o:p></span></b></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<![if !supportLists]>3.&nbsp;&nbsp;&nbsp;&nbsp;
<![endif]>Compile the source code, as documented.

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

By default, make install will place the executables in /sbin.
For the sake of obfuscation, I change the name and behavior of most of my
services.  In this example, I changed /sbin/ttysnoops
to /sbin/foo_login<o:p></o:p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=numbered><![if !supportLists]>4.<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;
</span><![endif]>Create the /var/spool/ttysnoop directory.<span
style="mso-spacerun: yes">  </span>This is not done automatically.</p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

Don’t put anything
in this directory.  When a user logs in
through the ttysnoops server
(discussed later), a file appears in the /var/spool/ttysnoop
directory that corresponds to that user’s session (ttyp0, ttyp1, ttyp2,
etc.).  The mere existence of a file
appearing in the /var/spool/ttysnoop
directory will confirm a successful ttysnoop login.  However, ttysnoops does not clean the
file up upon termination of the corresponding session so the files will remain
there (as “afterimages”) until used again or manually deleted. <o:p></o:p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=numbered><![if !supportLists]>5.<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;
</span><![endif]>Copy the snooptab.dist file</p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'>From the source
directory, copy the <b>snooptab.dist</b> file to <b>/etc/snooptab</b>.<span
style="mso-spacerun: yes">  </span>ttysnoop uses this to generate the files
that you will find in the <b style='mso-bidi-font-weight:normal'>/var/spool/ttysnoop</b>
directory.<o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<h1>Configuration of OPENSSH</h1>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

There are a few
ways to kick off the special OPENSSH server.  If ttysnoop will be a permanent
installation, you might want to consider using inetd.conf or xinetd.d
with TCP_WRAPPERS for improved access control.  Refer to the TCP_WRAPPERS HOWTO for more information on how to
set that up.  In the following examples,
we will configure a basic, manually started OPENSSH server. <o:p></o:p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'>If you were
configuring telnet for use with ttysnoop, it would simply be a matter of
editing the <b>/etc/inetd.conf</b> file to change telnet’s default login
program:<o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoBodyText>telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -L
/sbin/ttysnoops </p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'>With OPENSSH,
recompilation is necessary.<o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=numbered style='mso-list:l2 level1 lfo5'><![if !supportLists]>1.<span
style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp; </span><![endif]>Recompile
ssh to change the default login program.</p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

I am using
OpenSSH_3.0.2p1.  In other versions,
compile-time arguments allow changing the default login program.  With this version, because there is not a
compile-time argument to specify an alternate login program, the LOGIN_PROGRAM
environment variable needs to be set prior to compilation. Use the name of the ttysnoops
server that we changed earlier, as the value.<o:p></o:p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><b><span style='font-family:"Courier New"'>#
LOGIN_PROGRAM=/sbin/foo_login; export LOGIN_PROGRAM<o:p></o:p></span></b></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'>When compiling the
<b><i>special </i></b>OPENSSH server, I use an alternate directory because
there is also an <b><i>unblemished </i></b>OPENSSH server on the machine.<span
style="mso-spacerun: yes">  </span>In this example, I will use
/opt/hakt-openssh as the PREFIX directory<o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><b><span style='font-family:"Courier New"'># ./configure
--prefix=/opt/haktopenssh --with-pam<o:p></o:p></span></b></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=numbered><![if !supportLists]>2.<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;
</span><![endif]>Configure OPENSSH</p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'>In the <b>/opt/haktopenssh/etc/sshd_conf</b>
file, configure the <b>UseLogin</b> value: has the following configuration
option:<o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<h1><span style='font-size:12.0pt;mso-bidi-font-family:Tahoma'>UseLogin yes <o:p></o:p></span></h1>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=numbered><![if !supportLists]>3.<span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;
</span><![endif]>Start sshd</p>

<p class=numbered style='margin-left:0in;text-indent:0in;mso-list:none;
tab-stops:.5in'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></p>

<p class=numbered style='margin-left:0in;text-indent:0in;mso-list:none;
tab-stops:.5in'><span style='font-weight:normal;mso-bidi-font-weight:bold'>Manually
or via automated process (</span>inetd.conf<span style='font-weight:normal;
mso-bidi-font-weight:bold'>, </span>xinetd.d<span style='font-weight:normal;
mso-bidi-font-weight:bold'>, </span>init.d<span style='font-weight:normal;
mso-bidi-font-weight:bold'>, etc.)<o:p></o:p></span></p>

<p class=MsoHeader style='tab-stops:.5in'><span style='mso-bidi-font-family:
Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><b><span style='font-family:"Courier New"'>#
/opt/haktopenssh/sbin/sshd –p15151<o:p></o:p></span></b></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'>-p15151 starts <b>sshd</b>
on a non-standard port<o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<h1>Using ttysnoop</h1>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'>Users logging in
through OPENSSH will now, transparently invoke foo_login (AKA ttysnoops).<span
style="mso-spacerun: yes">  </span>When they log in, a listing of <b
style='mso-bidi-font-weight:normal'>/var/spool/ttysnoop</b> will confirm
successful operation.<o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><b style='mso-bidi-font-weight:normal'><span
style='font-family:"Courier New"'># ls /var/spool/ttysnoop/<o:p></o:p></span></b></p>

<p class=MsoNormal><b><span style='font-family:"Courier New"'>ttyp0=<o:p></o:p></span></b></p>

<p class=MsoNormal><b><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></b></p>

<p class=numbered style='margin-left:0in;text-indent:0in;mso-list:none;
tab-stops:.5in'>Connect and authenticate</p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><b style='mso-bidi-font-weight:normal'><span
style='font-family:"Courier New"'># ttysnoop ttyp0<o:p></o:p></span></b></p>

<p class=MsoNormal><b style='mso-bidi-font-weight:normal'><span
style='font-family:"Courier New"'>Connected to ttyp0 snoop server...<o:p></o:p></span></b></p>

<p class=MsoNormal><b style='mso-bidi-font-weight:normal'><span
style='font-family:"Courier New"'>Ctrl+'\' (ASCII 28) to suspend, Ctrl+'-'
(ASCII 31) to terminate.<o:p></o:p></span></b></p>

<p class=MsoNormal><b style='mso-bidi-font-weight:normal'><span
style='font-family:"Courier New"'>Snoop password:<o:p></o:p></span></b></p>

<p class=MsoNormal><b style='mso-bidi-font-weight:normal'><span
style='font-family:"Courier New"'>Verified OK... Snoop started.<o:p></o:p></span></b></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'><![if !supportEmptyParas]>&nbsp;<![endif]><o:p></o:p></span></p>

<p class=MsoNormal><span style='mso-bidi-font-family:Tahoma'>Have fun!<o:p></o:p></span></p>

</div>

</body>

</html>

--------------Boundary-00=_427UY5BPZ0ZIAEKKLVYH--