[CentOS] 'last' command doesn't include ssh connections made by this perl script?

Bennett Haselton bennett at peacefire.org
Mon Jan 2 23:04:07 UTC 2012


My home machine has IP 50.54.225.130.  I have (for the purposes of this
experiment) one remote machine at www.peacefire.org (69.72.177.140) and
another at www.junkwhale.com.

When I'm logged in to peacefire, I run this perl script to open an ssh
connection to junkwhale and run a command:

my $hostname="www.junkwhale.com";
my $server_password = "[redacted!]";
use Net::SFTP;
use Net::SSH::Perl;
my $ssh = Net::SSH::Perl->new($hostname);
$ssh->login("root", $server_password);
my($stdout, $stderr, $exit) = $ssh->cmd("pwd");
print "Stdout: $stdout\n";
print "Stderr: $stderr\n";

If I then log in by ssh to junkwhale from my home computer and run
grep 'Accepted password' /var/log/secure
the last two lines are:
Jan  2 13:23:17 e2180-20059 sshd[12635]: Accepted password for root from
69.72.177.140 port 1023 ssh2
Jan  2 13:23:28 e2180-20059 sshd[12684]: Accepted password for root from
50.54.225.130 port 52484 ssh2

which is correct -- the first line is from the perl script connecting from
Peacefire (69.72.177.140) and the second line is for the connection I just
opened from my home computer.

If, however, I run the "last" command, the first two lines are just:
root     pts/0        50-54-225-130.ev Mon Jan  2 13:23   still logged in
root     pts/0        50-54-225-130.ev Mon Jan  2 01:52 - 01:52  (00:00)

In other words, the "last" command doesn't list the connection opened up by
the Perl script.  It only lists the times that I've connected by opening a
connection manually with my SSH client.  Presumably that means the
connection with the perl script is not being logged in /var/log/wtmp ,
although the contents of the file are binary so I couldn't make much sense
of them directly with a screen dump.

This makes me wonder two things:
1) What is the difference, from the server's point of view, between the
connection opened by the script and the one opened by my ssh client; and
2) More seriously, whatever it is that's different about the connection
opened by the perl script, isn't it a bug that that connection is not
recorded in wtmp?  If admins frequently use the "last" command to determine
who has logged into the server, couldn't an attacker do this to avoid
detection?

Bennett



More information about the CentOS mailing list