My home machine has IP 50.54.225.130. I have (for the purposes of this experiment) one remote machine at www.peacefire.org (69.72.177.140) and another at www.junkwhale.com.
When I'm logged in to peacefire, I run this perl script to open an ssh connection to junkwhale and run a command:
my $hostname="www.junkwhale.com"; my $server_password = "[redacted!]"; use Net::SFTP; use Net::SSH::Perl; my $ssh = Net::SSH::Perl->new($hostname); $ssh->login("root", $server_password); my($stdout, $stderr, $exit) = $ssh->cmd("pwd"); print "Stdout: $stdout\n"; print "Stderr: $stderr\n";
If I then log in by ssh to junkwhale from my home computer and run grep 'Accepted password' /var/log/secure the last two lines are: Jan 2 13:23:17 e2180-20059 sshd[12635]: Accepted password for root from 69.72.177.140 port 1023 ssh2 Jan 2 13:23:28 e2180-20059 sshd[12684]: Accepted password for root from 50.54.225.130 port 52484 ssh2
which is correct -- the first line is from the perl script connecting from Peacefire (69.72.177.140) and the second line is for the connection I just opened from my home computer.
If, however, I run the "last" command, the first two lines are just: root pts/0 50-54-225-130.ev Mon Jan 2 13:23 still logged in root pts/0 50-54-225-130.ev Mon Jan 2 01:52 - 01:52 (00:00)
In other words, the "last" command doesn't list the connection opened up by the Perl script. It only lists the times that I've connected by opening a connection manually with my SSH client. Presumably that means the connection with the perl script is not being logged in /var/log/wtmp , although the contents of the file are binary so I couldn't make much sense of them directly with a screen dump.
This makes me wonder two things: 1) What is the difference, from the server's point of view, between the connection opened by the script and the one opened by my ssh client; and 2) More seriously, whatever it is that's different about the connection opened by the perl script, isn't it a bug that that connection is not recorded in wtmp? If admins frequently use the "last" command to determine who has logged into the server, couldn't an attacker do this to avoid detection?
Bennett