note: the original site that this tutorial came from is dead. I retrieved it from the google cached version.
ttysnoop is a trivial but very convenient tool that can be used to share, monitor or control user terminals. Enabling ttysnoop on your machine is dangerous; it could violate your security policy or leave the system in an unusable state if not done properly. The ttysnoop itself doesn't need any special setup (except the /etc/snooptab file maybe) if both parties cooperate (one starts the ttysnoops server, and the other starts the ttysnoop client). However, installing it so that the ttysnoops gets started during the login does require a few changes in the system configuration files.
We will show here how to replace the system's login binary with ttysnoops and how to enable it for ssh connections. The procedure is delicate, as we said already, so we will comment each line you are about to execute in your shell.
| Caution | Caution|
The /bin/login file, an important part of every Unix system, will get modified. This means that all applications which use /bin/login will be affected; in other words, it would become possible for users who posess the root password to completely monitor and control those character data streams (with the root password they could do it anyway, but not *so* easily). You shouldn't notice any visual changes, but please understand that the ttysnoop server will hook itself between the login program and the user (/dev/ttyp*). If you want specific services not to use the snooped /bin/login, instruct them to use /bin/login.real as the login program (that's exactly what we will do with the system getty). |
(1) # dpkg-divert --divert /bin/login.real --add /bin/login (2) # mv /bin/login /bin/login.real (3) # echo "* socket login /bin/login.real" > /etc/snooptab (4) # cp /etc/inittab /etc/inittab.valid (5) # perl -p -i,orig -e 's#getty#getty -l /bin/login.real#g' /etc/inittab (6) # ln -sf /usr/sbin/ttysnoops /bin/login (7) # init q (8) # echo "UseLogin yes" >> /etc/ssh/sshd_config (9) # /etc/init.d/ssh restart |
- (1)
- We already described the dpkg-divert command above. It "diverts" the file /bin/login to /bin/login.real, meaning that new packages which contain /bin/login file will unpack it to a different location, /bin/login.real. To undo this step, use dpkg-divert --remove /bin/login.
- (2)
- Move /bin/login to /bin/login.real. The system login will be corrupted till step 6, when we re-create the /bin/login file. To undo this step, use mv /bin/login.real /bin/login.
- (3)
- Create the /etc/snooptab file, which contains a single rule "* socket login /bin/login.real". See man ttysnoop(8) for details.
- (4)
- Create a copy of the /etc/inittab file in /etc/inittab.valid. This is important; if anything bad happens to /etc/inittab you could end up with an unusable system, so having a valid copy lying around is encouraged (also leave one shell opened, so that you can put the valid file back in place even if you break system login).
- (5)
- Using Perl, edit the file /etc/inittab in-place, and replace every occurence of 'getty' with 'getty -l /bin/login.real'. The copy of the original file is saved in /etc/inittab,orig. *Never* run this command twice before putting the ,orig file back first (or you'll end up with something like 'getty -l /bin/login.real -l /bin/login.real'). In case of trouble, copy the .valid file from the previous step onto /etc/inittab. Also, note that we use 'getty -l' (where -l is smallcaps -L, not the number -1).
- (6)
- We re-create the /bin/login, making it a symbolic link to /usr/sbin/ttysnoops, the ttysnoop server.
- (7)
- Reload the init process, which re-reads the /etc/inittab file. If you made a mistake in some of the previous steps, your local consoles probably won't work anymore; that's why we suggested to leave one shell open and have a copy of the original /etc/inittab. If you decide to put the old inittab back, don't forget to move the login.real file back too and remove the divert.
- (8)
- We append 'UseLogin yes' to the end of the sshd configuration file.
- (9)
- We restart the sshd daemon.
| Warning | Warning|
Enabling ttysnoop on your machine is dangerous; it could violate your security policy or leave the system in an unusable state if not done properly. For example, if you loose the ability to start X as a regular system user, chances are you did not make getty use the original login program so either fix that, or run dpkg-reconfigure xserver-common and allow anyone to run X server (a bad thing to do). |
You can test the setup locally (but the same idea applies to remote logins, of course):
ssh to your localhost (execute: ssh 127.0.0.1 or ssh 0, which works on Linux only)
switch to another virtual console (or X terminal) and login as root. Find out the correct tty device (ttyp*) for our snoop target:
# w | grep ttyp myuser ttyp0 - 4:20am 3.00s 0.05s 0.02s -bash
invoke the ttysnoop to hook to /dev/ttyp0:
$ /usr/sbin/ttysnoop ttyp0
type in root password (to authenticate with ttysnoops) and enjoy your shared view ;p
When letting people log in remotely to your machine, ssh is strongly-preferred way to connect. Do not even bother with telnet (which is an unencrypted and insecure service). If you have special needs or demand telnet anyway, check out working configurations from the sample /etc/snooptab files.