Linux Help

ttysnoop Setup Guide   
Printable Version

DJG's ttysnoop Guide
Created on January 1st, 2000.

ttysnoop is a package which will, if configured properly, allow you (the SysAdmin) to "snoop" on users' ttys. Not only will this allow you to watch what is happening on a user's terminal, it will allow you to manipulate the environment as well. You will also be able to "share" the terminal. Sound scary for users? Sound fun for you? Although the first thing that probably pops into your mind to use this for evil, this CAN be a useful Administrative tool, so PLEASE use it for that. With this, you will be able to get records on a user which will be much better than simply looking at their .bash_history (if they haven't done something with that already. ttysnoop can also be used to "share" a terminal between two users. These users could be instructor and student, or just someone who is demonstrating how to do something.

Before you decide to run ttysnoop please think about the consequences. If you will just install it on your personal machine then that may be ok because if someone unfriendly is telneting in, you can see what they are doing. However keep in mind that if they somehow get root on your machine, they can do it to you.

Also, if you provide shell accounts for users you may think that you can use ttysnoop to keep an eye on troublesome users. However, keep in mind that it may be a privacy violation and users may not like the idea that you can simply manipulate their data.

Now that you (hopefully) know what ttysnoop is and that you want to use it, let's go over how to install, configure, and use it.

First, you'll have to install it, you can get the RPM, tarball, or deb.

Get the RPM at ftp://rufus.w3.org/linux/contrib/libc6/i386/ttysnoop-0.12c-5.i386.rpm
Get the tarball at http://members.xoom.com/sigsegv/sources/ttysnoop.tar.gz
Get the Deb from ftp://ftp.debian.org/debian/dists/slink/main/binary-i386/admin/ttysnoop_0.12c-6.deb
or by running "apt-get install ttysnoop"

After installing, you should decide on how you want to use ttysnoop. This guide will go over two ways, putting it on your Virtual Consoles, and putting it on all incoming telnet connections.

To set ttysnoop to have the ability to watch all virtual consoles (or just some), open up /etc/inittab in your favorite text editor. Go down to the part where you see something like this:

NOTE: Be careful with this, if you aren't ready to ruin your box, DON'T mess with this file! :)

If you don't want ttysnoop to watch the virtual consoles, then skip this section.


# Format: 
# :::
1:2345:respawn:/sbin/getty 38400 tty1
2:23:respawn:/sbin/getty 38400 tty2
3:23:respawn:/sbin/getty 38400 tty3
4:23:respawn:/sbin/getty 38400 tty4
5:23:respawn:/sbin/getty 38400 tty5
6:23:respawn:/sbin/getty 38400 tty6

Whichever terminals you want to be "snoop-able" add the following to the /sbin/getty lines:

-l /path/to/ttysnoops

I would have a line like this for tty4 (Virtual console 4)

4:23:respawn:/sbin/getty 38400 tty4 -l /path/to/ttysnoops

Save /etc/inittab, and I don't know of any other way to refresh this except to reboot so you can reboot if you really want this.

Now, if you want to enable ttysnoop whenever someone telnets into your computer, then open up /etc/inetd.conf in your favorite text editor and find this line:

telnet stream tcp nowait telnetd.telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd

and change it to:

telnet stream tcp nowait root.telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd -L /usr/sbin/ttysnoops

REDHAT USERS: Instead of "root.telnetd", just use "root"

Now issue a 'killall -HUP inetd' and now all incoming telnet connections are "snoop-able."

Now that everything's all set up to be snooped, you're probably wondering "How can I snoop those terminals?"

To do this, you'll be using the program ttysnoop.

In the directory /var/spool/ttysnoop/, you will find a number of files, mine looks like:

ttyp0=
ttyp1=

These files are called pseudo-tty's or pty's if you look at ttysnoop's man page.

The number of ttysnoops sessions you have should will reflect the number of pty's you can use.

To snoop on a session, just issue the following command as root:

root@localhost:~ # ttysnoop ttyp0
Connected to ttyp0 snoop server...
Ctrl+'\' (ASCII 20) to suspend, Ctrl+'-' (ASCII 31) to terminate.
Snoop password:

Enter your root password above: ^

Verified Ok... Snoop started. 

Now, just watch. :)

If you really have the need to freak someone out, whatever you type will come up on their terminal. You can also execute commands, etc...

When you're ready to stop, do as it says and type CTRL - to shut down the client.

If you'd like to just log a user's activity and don't really want to watch, try this:

root@localhost:~ # ttysnoop ttyp0 > /path/to/logfile 2>&1

Assuming there's no problem, just enter your password here and press enter, you won't be able to see anything, but it *should* work.

When you want to stop logging, type CTRL -

If you'd like to watch the log file, type:

root@localhost:~ # tail -f /path/to/logfile

In a separate terminal Press CTRL C to stop watching.

Now for one more thing. You may or may not have noticed that there's a new file in /etc, /etc/snooptab.

/etc/snooptab allows you to specify www.ces to be designated "snoopers" for certain terminals. For example, if I wanted tty1 to be snooped by tty8 rather than a dynamically assigned socket pseudo-terminal, then I could do it here.

Open up /etc/snooptab in your favorite editor. You should see something like this:


tty     snoop-www.ce  type   	execpgm

#tty1    /www.tty7    login    /bin/login
#tty2    /www.tty8    login    /bin/login

  *      socket       login    /bin/login

Here's how it works and how to add your own entries:

tty: Here, put whichever tty you want to be "snoop-able"

snoop-www.ce: Here, put the www.ce in which you want to snoop on whatever you put in tty.

NOTE: You CAN put non-terminal www.ces in snoop-www.ce, although it doesn't work too well. Unfortunately, redirecting output to the printer for me didn't quite work. So much for reliving the Cuckoo's Egg. ;)

type: For our purposes, just set this to "login"

execpgm: Again, for our purposes, leave this as "/bin/login"

Save the file and you are all set. You can now snoop on specific logins.

I hope this guide has been helpful and you use ttysnoop responsibly.


Having trouble? Got questions? Require further assistance? If so please feel free to visit our Help Forums and ask the experts!


Copyright © 1997 - 2014 Private World Domination Inc. All rights reserved.
Linux is a registered trademark of Linus Torvalds. All other trademarks and copyrights are the property of their respective owners.
| Contact Us | Link to Us | RSS Feed | Staff |

DNS Hosting by easyDNS