This is the C program (hare) and the Python daemon (hared) for this story.
hare is a small utility which is installed in a PAM configuration (e.g. for sshd) in order to log when a successful login is attempted, e.g. to alert on machines which are seldom visited or otherwise monitored.
hare transmits a JSON string over a UDP datagram. The JSON looks like this:
{
"tty": "tty1",
"service": "login",
"hostname": "zabb01",
"user": "jjolie",
"tst": 1522154553,
"rhost": "<unknown>",
"remote" : "10.0.12.1"
}The values for user, rhost, tty, and service are set from PAM from their PAM_ equivalents, and hostname will contain the gethostname(3) result as determined by hare. remote is the IP address of the hare client as seen by hared.
Python hared is also installable via https://pypi.python.org/pypi/hared/
OpenBSD has no PAM, but we can still use hare to record SSH logins with a bit of a trick:
- Create a shell script
/etc/ssh/sshrcwith mode 0755 and owner root, with approximately the following content:
#!/bin/sh
# set environment variables which will be used by hare:
export PAM_TYPE=open_session
export PAM_USER=$LOGNAME
export PAM_SERVICE=ssh
export PAM_RHOST="$(echo $SSH_CLIENT | cut -d' ' -f1)"
export PAM_TTY=$SSH_TTY
/usr/local/bin/hare 127.0.0.1- Ensure hared is running on the address you specify for hare to connect to.
- Logins via SSH should now be recorded.