0 votes
by (120 points)

I want to create an ssh proxy that would allow everything that goes on during an SSH session to be recorded (the person would know his actions are recorded). The client needs to be PuTTY since that is what the customer wants to use. The use case is that the customer needs to record for security and auditing purposes everything that an employee does during an SSH session.

Would your tools allow me to create a proxy listener that would be connected to from PuTTY, record and possibly filter all commands, and then forward the communication to the server? Would it be possible to get some code samples and architecture pointers on how to structure such a proxy.

Thanks so much, Ken

1 Answer

0 votes
by (145k points)

We are developing an SSH server component that is currently in beta and this would be possible with a bit of code tweaking. However, there are the following issues:

  1. When connecting to a server through a proxy, the "server key" provided to the client would be the key of the proxy, not the key of the target server. There is no way around this (unless you have access to private key of the server), but if the people using the proxy know they are being recorded, this should not be an issue - they would just need to trust a different key. (To prevent possible privacy violation issues, the proxy might even display a warning that the communication is being intercepted and possibly recorded.]

  2. Does the proxy need to be transparent? I mean - if you intended to connect to ssh.rebex.net, would it be an issue if you had to connect to "sshproxy.mycompany.local" instead and had to specify the target server name in addition to the username and password in PuTTY?

  3. Private key authentication would not work (unless the proxy had access to client's private keys.

If you would like to discuss these issues, please contact us at support@rebex.net. As I stated before, implementing this kind of proxy is easily possible, although not with any of our currently published products, and I believe it would actually be a useful product of its own - we are definitely going to give it a try.