# Take over another session as root [ttysnoop + SSH = SOLVED!]

## d11wtq

Hi,

I've seen this done before I don't have a clue what to search for.

A user logs onto a networked linux PC. He starts entering commands a console window.

Someone can connect to that same PC over the network and take over that console session.  He can then start typing in commands within that console.  The original user can still see the screen and see what the other person logged in as root is typing.

What is it? And how do you do it?

I'm not referring to VNC or anything like that.... this is just command line based.

Thanks,

d11  :Smile: Last edited by d11wtq on Fri Nov 04, 2005 12:41 pm; edited 1 time in total

----------

## Earthwings

Have a look at

```
*  app-misc/screen

      Latest version available: 4.0.2-r4

      Latest version installed: [ Not Installed ]

      Size of downloaded files: 820 kB

      Homepage:    http://www.gnu.org/software/screen/

      Description: Screen is a full-screen window manager that multiplexes a physical terminal between several processes

      License:     GPL-2
```

----------

## bone

Actually, I think he is referring to ttysnoop.

Check here for more info:

http://www.linuxhelp.ca/guides/ttysnoop/

I used to use this to teach users when they were in question about something they were trying to do, but it can also be used for unethnical purposes as the users is not informed beforehand that they are being watched.

jt

----------

## d11wtq

 *bone wrote:*   

> Actually, I think he is referring to ttysnoop.
> 
> Check here for more info:
> 
> http://www.linuxhelp.ca/guides/ttysnoop/
> ...

 

Yeah that's what I'm referring to.  I wouldn't use it for anything unethical... in fact I probably wont even use it at all but it just intrigued me to see it done.  I'm often connecting to my brother's SuSE box over SSH, over the internet to help him do things so I guess there could be an educational use for it there.

Thanks for the links guys  :Smile: 

----------

## d11wtq

Hmmm....  I'll show my n00biness here.

Any idea how to get ttysnoop to snoop sessions started by users who log on via SSH?

I installed the app, looked at the /etc/snooptab file and decided to leave it as is.  I need to change something so that when users log in via SSH they don't use /bin/login they use ttysnoop instead (transparently I believe). It talks about how to do it for telnet but I'm gonna practise this on my VDS Gentoo UML server which I use for webhosting so I'm not wanting to run telnet on there for security reasons.  All users with shell accounts use SSH to connect.  I can't see anything in /etc/ssh/sshd_confing which specifies /bin/login as the login script.

Any help much appreciated  :Smile: 

----------

## d11wtq

 *A wesbite found on Google wrote:*   

> 
> 
> ttysnoop was created to work with inetd, however, there is a way to make it work with ssh.
> 
> first you will need the source code of the sshd
> ...

 

Looks simple enough but I'd have to modify the OpenSSH source to do it.... do I trust that?  :Smile:  Looks safe enough considering what changes you make I guess.

For anyone wondering.... because I see another post on this forum facing my problem.

You'll have to unmerge openssh and compile it yourself.... OR inflate the openssh package in /usr/portage/distfiles/ and make those changes, bz2 it again then remerge openssh* Either will work.

*It might be a good idea to "emerge --fetchonly" the latest version first  :Wink: 

I'll let you know how it goes.

----------

## Monkeh

You could write a patch to do it.

----------

## d11wtq

 *Monkeh wrote:*   

> You could write a patch to do it.

 

Me personally? Not sure how to go about doing that, unless it's just a case of making a copy the *modified* files and habing them replace the old ones when run? but I'd have a go  :Smile: 

----------

