Teleport: Write to utmp/wtmp when an interactive session is opened by Teleport

Created on 7 Jul 2020  路  7Comments  路  Source: gravitational/teleport

Feature Request

Traditional Unix login systems like getty and sshd write entries to the utmp file when an interactive session is opened. This is used to construct the output of commands like w and who which show the users currently logged into the system.

Teleport doesn't write entries to utmp when interactive sessions are opened, meaning that you can't see who's logged into a system using traditional Unix tools. It would be nice for Teleport nodes to update the utmp file in the same way sshd does.

Output of who when logged in via sshd:

gus@hades:~$ who
gus      pts/1        2020-07-07 16:16 (192.168.64.203)
gus@hades:~$

Output of who when logged in via teleport:

gus@hades:~$ who
gus@hades:~$ 

Motivation

Teleport is essentially positioned as an sshd replacement, so it should have a reasonable level of feature parity with sshd. It's also quite confusing that sessions appear in w/who/last etc when you use Teleport to log into nodes running sshd, but not when you use Teleport to log into nodes running teleport.

Who's it for?

OSS User, Pro, Enterprise

鈹咺ssue is synchronized with this Asana task by Unito

R3 c-ju c-pa feature-request sales-onboarding

Most helpful comment

+1 this is a big annoyance to our users/engineers

All 7 comments

+1 This is the biggest request I get from our engineering team. We have a number of tools and scripts that use wtmp and utmp that report if an engineer is currently using a particular system (to prevent stepping on each other), and these have stopped working since our transition to teleport.

Both human users and downstream tooling such as log aggregators/SIEMs rely on utmp/wtmp to analyze and debug resource utilization and performance issues on shared systems, as well as monitor user behavior for security forensics. Although the Audit Log partially mitigates this, Teleport's lack of utmp/wtmp significantly disrupts Unix users' muscle memory for w/who/last and ambient awareness of other users. This would also introduce friction in analyzing attacker behavior during a real-time security incident response. Other solutions such as OpenSSH and Smallstep populate utmp/wtmp as expected.

Lacework has confirmed that they use utmp/wtmp to monitor system logins. That means customers using Lacework would be blind to all Teleport-based login activity in Lacework.

+1 this is a big annoyance to our users/engineers

We plan to address this issue when we work on https://github.com/gravitational/teleport/issues/3814

Started investigating and it seems like openssh does this by using this C header which defines the structure of the utmp and wtmp files and manually adds an USER_PROCESS entry once a connection is authenticated. On exit, the daemon marks the entry as DEAD_PROCESS. I'll get working on this.

Implemented and merged to master.

Was this page helpful?
0 / 5 - 0 ratings