[CentOS] 'last' command doesn't include ssh connections made by this perl script?

Mon Jan 2 23:27:25 UTC 2012
Nataraj <incoming-centos at rjl.com>

On 01/02/2012 03:04 PM, Bennett Haselton wrote:
> My home machine has IP 50.54.225.130.  I have (for the purposes of this
> experiment) one remote machine at www.peacefire.org (69.72.177.140) and
> another at www.junkwhale.com.
In general it is better not to post actual hostnames and IP addresses on
public lists.  Doing so can invite further attacks, particularly if your
posting exposes vulnerabilities in your system.
> When I'm logged in to peacefire, I run this perl script to open an ssh
> connection to junkwhale and run a command:
>
> my $hostname="www.junkwhale.com";
> my $server_password = "[redacted!]";
> use Net::SFTP;
> use Net::SSH::Perl;
> my $ssh = Net::SSH::Perl->new($hostname);
> $ssh->login("root", $server_password);
> my($stdout, $stderr, $exit) = $ssh->cmd("pwd");
> print "Stdout: $stdout\n";
> print "Stderr: $stderr\n";
>
> If I then log in by ssh to junkwhale from my home computer and run
> grep 'Accepted password' /var/log/secure
> the last two lines are:
> Jan  2 13:23:17 e2180-20059 sshd[12635]: Accepted password for root from
> 69.72.177.140 port 1023 ssh2
> Jan  2 13:23:28 e2180-20059 sshd[12684]: Accepted password for root from
> 50.54.225.130 port 52484 ssh2
>
> which is correct -- the first line is from the perl script connecting from
> Peacefire (69.72.177.140) and the second line is for the connection I just
> opened from my home computer.
>
> If, however, I run the "last" command, the first two lines are just:
> root     pts/0        50-54-225-130.ev Mon Jan  2 13:23   still logged in
> root     pts/0        50-54-225-130.ev Mon Jan  2 01:52 - 01:52  (00:00)
>
> In other words, the "last" command doesn't list the connection opened up by
> the Perl script.  It only lists the times that I've connected by opening a
> connection manually with my SSH client.  Presumably that means the
> connection with the perl script is not being logged in /var/log/wtmp ,
> although the contents of the file are binary so I couldn't make much sense
> of them directly with a screen dump.
>
> This makes me wonder two things:
> 1) What is the difference, from the server's point of view, between the
> connection opened by the script and the one opened by my ssh client; and
> 2) More seriously, whatever it is that's different about the connection
> opened by the perl script, isn't it a bug that that connection is not
> recorded in wtmp?  If admins frequently use the "last" command to determine
> who has logged into the server, couldn't an attacker do this to avoid
> detection?
The connection opened by the script is not considered an interactive
login on a terminal device and is therefore not reported by last.  Would
be nice if there was a way to have sshd log the command line that was
executed for non-interactive connections, but I don't see a way to do
that.  The reality is that the log files really need to be monitored.

Nataraj