How to monitor SSH sessions

Hi All

Is it possible to log and monitor user activities in a SSH session. Is there any configuration or a patch to apply ?. Im currently using OpenSSH with AIX 5.3L

and my syslog.conf includes

auth.* /var/log/sshd/auth.log

and

in sshd_config it shows

SysLogFacility AUTH
LogLevel VERBOS

but no log file can find under /var/log/sshd

can anyone help me regarding this

Thank You
-Anuradha

This is how you can do it

1) Change the users shell to something else like
/bin/myscript (a script that you will write)

2) That script will actually log everything in a text file (in a weird place that he wont be able to guess) and process all the commands from the shell he/she was using earlier
So basically its a wrapper around the shell

3) Stop user to change shells using sudo or other means

Basically this is not a foolproof plan as the user will be able to change the file since he will have the same access rights as the logshell

Let me think if there is another way of doing it

~Sage

Here is the solution

Run your script as root and run the users command with users privileges

Log the commands as root and give a permission of 700 to the logfile with owner as root and group as sys (?)

Thanks
~Sage

Thank you very much for your replies sage...:b:

I created a script and pointed it as my default shell.. also i added the script location to /etc/shells

but chsh <user> /usr/bin/myscript failled with

3004-635 Error setting shell for "anu" to "/usr/bin/wrap" : Value is invalid.

the script works fine and can my script work as a shell ?
here is the script

#! /bin/ksh
OPERATION=
LOGFILE="./log"

OPTIONS="$@"

echo "`date` + `whoami` + $OPTION "$@"" >> $LOGFILE

exec $OPERATION "$@"

Thank You
-Anuradha

A little untimely given how long ago you posted this but for those who follow:

You have to edit the allowable shells in your /etc/security/login.cfg

usw:
shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin
/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/
rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd

Add yours to the list.

Edit: I noticed that if I made the change directly to the /etc/passwd line then tried the chsh it always gave me the "Value is invalid" error even if I put in a normal shell like /bin/ksh, so if you made the change manually prior you have to correct it first before using the kosher method...