table of contents
| SSH-LAST(1) | User Commands | SSH-LAST(1) |
NAME¶
ssh-last - list last SSH sessions
SYNOPSIS¶
ssh-last [OPTIONS]
ssh_logs | ssh-last [OPTIONS]
Options¶
-a show all sessions (show data which is hidden by the 'ignored' file)
-c colored output (highlight active SSH sessions)
-d debug
-f force showing fingerprints (no mapping from 'known' file)
-h show this help message
-i force showing certificate ids (no mapping from 'known' file, not together with -f)
-l try to use logfiles instead of journalctl (may be even faster on some systems)
-n show host/ip in cleartext (no mapping from 'known' file)
-w show only active SSH sessions
-? show complete manual with more detailed information
(usually needs perl-doc installed to work properly)
--version show version information
Examples¶
ssh-last
ssh-last -c | more
ssh-last -c | less -R # keeps colored output in less
ssh-last -cw
# Logs from yesterday
LC_TIME=C journalctl _COMM=sshd -g 'Accepted|Disconnected' --since yesterday | ssh-last
# Logs from three days ago
LC_TIME=C journalctl _COMM=sshd -g 'Accepted|Disconnected' --since -3d --until -2d | ssh-last
# Logs from the last hour
LC_TIME=C journalctl _COMM=sshd -g 'Accepted|Disconnected' --since -1h | ssh-last
# Logs until a specific date
LC_TIME=C journalctl _COMM=sshd -g 'Accepted|Disconnected' --until "2022-03-12 07:00:00" | ssh-last
# From logfiles (order must be from oldest to newest)
zgrep -hE 'Accepted|Disconnected' auth.log.2.gz auth.log.1 auth.log | ssh-last
zgrep -hE 'Accepted|Disconnected' $(ls /var/log/auth.log* --sort=time --reverse) | ssh-last
zgrep -hE 'Accepted|Disconnected' $(ls /var/log/messages* --sort=time --reverse) | ssh-last
zgrep -hE 'Accepted|Disconnected' $(ls /var/log/secure* --sort=time --reverse) | ssh-last
DESCRIPTION¶
ssh-last is like last but for SSH sessions
Output Flags¶
+--------------------------------------------------------------------------+
| |
| AUTH_ID |
| |
| (C) sshd authorized login via (c)ertificate |
| (K) sshd authorized login via public (k)ey |
| (?) sshd authorized login via some other type (password, pam) |
| |
+--------------------------------------------------------------------------+
Algorithm¶
Milling through sshd logs in chronological order:
1) Finding login (Accepted) and logout (Disconnected) lines.
2) Storing info from the lines like username, auth_type, fingerprint, ...
3) Using the used network port to check for active sessions
and piecing together old sessions by remembering logged network ports
4) Using mainly /etc/os-release to adapt for different systems
which differ in logfile names, logging patterns, etc...
FILES¶
Ignored¶
/etc/ssh-tools/ssh-last/ignored
~/.config/ssh-tools/ssh-last/ignored
./ignored
These data will be hidden in output unless forced with -a option
+--------------------------------------------------------------------------+
|# Fingerprints |
| |
|SHA256:ElgyEn5xPe4VlK5jJkqauRdAKNRHdh2tGHfo0m9/IwW Jenkins |
|SHA256:5xPe4JkqaElKNRHGHfxPe4RdAKdh2tlK5AKNRHn5xK5 foo # comment |
|SHA256:nmKL5s7/fs45312nvjhFSRTREa44r2hfgJHJG54353R bar@gmx.de |
| |
|# Hosts |
| |
|127.0.0.1 localhost # local ssh logins |
|192.168.1.50 nas # more comments |
|webserver # alias from the 'known' file |
| |
|# Cert IDs |
| |
|user1@company.com |
|user2@company.com with some info |
|user3@company.com with some info # and a comment |
| |
|# Users |
| |
|git # gitlab |
+--------------------------------------------------------------------------+
Known¶
/etc/ssh-tools/ssh-last/known
~/.config/ssh-tools/ssh-last/known
./known
For these keys the mapped value will be shown instead of its key,
unless forced with -f (fingerprints) and -n (hosts)
or -i (certificate ids) option
+--------------------------------------------------------------------------+
|# Fingerprints |
| |
|SHA256:WwI/9m0ofHGt2hdHRNKAdRuaqkJj5KlV4ePx5nEyglE Sven Wick |
|SHA256:xyk5ZZZWZKnmKL5mYdk8Poy5eds7/CD/JEwqykMnlQQ root@n40l # comment |
|SHA256:G7h9i5+NDU72Ae40gCkxyvDz/8BH+KETw7sXHCYr5w0 sven.wick@gmx.de |
| |
|# Hosts |
| |
|127.0.0.1 localhost # local ssh logins |
|192.168.1.50 nas # more comments |
|192.168.50.100 webserver |
| |
|# Cert IDs |
| |
|user1@company.com vaporup |
+--------------------------------------------------------------------------+
BUGS AND LIMITATIONS¶
JumpHosts¶
Using a JumpHost with ProxyCommand oder ProxyJump,
may often result in an unclean disconnect with nothing logged,
so LOGOUT and DURATION can not be displayed.
Unprivileged users¶
If possible, run ssh-last as root or via sudo
1) Logfiles and systemd's journal usually can't be read by a normal user
2) ssh-last -w works only reliably as root,
since ss and netstat do not show process info when invoked as normal user
3) ssh-last tries to map the fingerprint from a user's authorized_keys file
but users usually are not allowed to look into each others files
OS Upgrades¶
If you do an in-place upgrade like dist-upgrade on Debian/Ubuntu,
depending on the version difference,
it can happen that sshd logs differently from that point on
and you may have a mix of logs in new and old format
which results in ssh-last showing only the latest ones correctly
Log inconsistency¶
I have seen cases where some sshd "Disconnect" log messages
were missing in systemd's journal but existed in /var/log/auth.log.
So, if ssh-last is not showing a logout and duration
but the log lines exist in the logfile, check if the log message
really reached systemd's journal since ssh-last defaults to journald
NOTES¶
Helper Scripts¶
For convenience you can create little wrapper scripts like the following
which avoids parsing too many logs by limiting the data only to the last week
my-ssh-last
+--------------------------------------------------------------------------+
| #!/usr/bin/env bash |
| |
| LC_TIME=C journalctl _COMM=sshd --since -1week \ |
| | grep -E 'Accepted|Disconnected' \ |
| | ssh-last "$@" |
| |
+--------------------------------------------------------------------------+
SEE ALSO¶
AUTHOR¶
Sven Wick <sven.wick@gmx.de>
| 2024-09-26 | SSH-TOOLS |