in reply to Re: Re: Net::SSH::Perl Module Problem
in thread Net::SSH::Perl Module Problem

Just to make sure I understand you completely. You only want to moniter users connecting using ssh. You don't care about telnet (shouldn't use telnet anyway). There are only two ways I can think of to do this, the realy easy way that is less accurate and the really hard way (some think it's hard) that is much more accurate.

The easy way, and still not too bad is to monitor the log file from sshd or your messages file. It has basically all the information you want there. Since I don't know what OS you are running I will relate things to Red Hat linux.

In my /var/log/messages file I have the following:

K, this gets long winded... 

Jul 30 11:09:52 localhost sshd(pam_unix)[3023]: session opened for use
+r username1 by (uid=502)
...
   more lines of other data
...
Jul 30 11:10:42 localhost sshd(pam_unix)[3023]: session closed for use
+r username1

[download]
You will notice a few things here. First the date and time are present, next the servername (localhost in this case) followed by the process (sshd). This is one of the things you will want to look for. The number between the square brackets is the pid of the sshd process that was spawned off to handle this users connection. This pid will be unique on the system as long as the user is logged in. Then a little further in the line you see the username, "username1" in this case.

This would provide you with all the information you need. I would recommend reading through the file and when you see the appropriate lines, sshd and "session opened" you could add something to a hash, maybe '$hash{username_pid} = logintime'. Then when you see a disconnection, "session closed", you could look for that same username_pid in the hash you maintained and delete it.

You could perform any other actions you wish when you add or delete to the hash, such as send an email. This is a nice accurate way to get data per user and would provide the amount of time a user was in the system and the date/time window.

If you just want to be alerted in any instance, forget about the hash and just send an email when you see an event you are interested in. Such as "User username1 has logged in" or "User username1 has logged out".

You will have an issue with reprocessing the same data in the messages file on the next iteration of your program. You can avoid this by keeping track of your position in the file with 'tell' it returns the current position, in bytes, the file pointer is positioned at in the file. After your first run, issue a 'tell' and write that number to a file. When you start up again, read the file holding this byte offset, open the messages file for reading you will use 'seek' to position yourself where you last left off.

K, now for the hard part....

You could run sshd from inetd (although not recommended) and using tcp wrappers (explained elsewhere on google) you can wrap the sshd process to do work before and after the process is used. This is much more involved than it sounds and not really for this site. You can find much info on tcp wrappers on the web.

I hope this didn't make things any more difficult. I tried to be clear and still provide enough specific information to be usefull.

Chad.

In Section Seekers of Perl Wisdom