How do I log SSH port forwards?

Solution 1:

I have used the patch on this web page (slightly altered) http://blog.rootshell.be/2009/03/01/keep-an-eye-on-ssh-forwarding/ to log ssh port forwards.

Solution 2:

I'm asking a question here How can a SSH host process detect which ports have been forwarded by the client (-R not -L) to find a more elegant way to do this same thing.

However, since it's not looking like there is a better way, I do it with lsof:

sudo lsof [email protected] -Fn -p99999 | grep "^n" | grep -v '\->' | awk -F: '{print $NF}' | sort | uniq

99999 is the PID of the sshd handling the connection you are interested in.

There are a few ways to make use of this snippet. Either have a long-running process that watches for new instances of sshd and then introspects them using the above command, or you prefix all .ssh/authorized_keys entries with a custom command which does this, logs it somewhere, then exec the original intended command (SSH_ORIGINAL_COMMAND or login shell in most cases).