Make Dropbear SSH Connections Show in Who Command

Installing and Using OpenWrt
1

Hello all,

Backstory:
I am trying to monitor all of my devices with Zabbix and one of its features is that it can tell how many users are logged into a Linux device by executing who | wc -l. It did not properly detect connections to my router running OpenWRT 18.06.5. I realized the who binary was not installed, so I installed it.

Problem:
This is when I found that running who when connected over the default Dropbear SSH connection does not show the Dropbear connection.

Output when connected via OpenSSH to my server:

{19-12-10 11:10}emu:~ v% who
v        pts/0        2019-12-10 11:01 (10.0.1.13)
{19-12-10 11:10}emu:~ v%

Output when connected via Dropbear to my router:

root@suss:~# who
root@suss:~#

I've tried:
Searching Google and Duckduckgo for information about Dropbear connections now showing in who
Searching Google and Duckduckgo for information about connections that do not show in who
Looking through OpenWRT docs on configuration for Dropbear to see if it is a missing feature/setting

Question:
Does anyone know what is going on and/or how I can fix it? It makes me uncomfortable not being able to know when someone is logged into the router...

2

From man who

If FILE is not specified, use /var/run/utmp. /var/log/wtmp as FILE is common.

Neither is present on my running, OpenWrt system.

who /tmp/log/wtmp

Doesn't return anything on the running system I tried either, which isn't surprising given

jeff@office:~$ ls -l /tmp/log/wtmp 
-rw-r--r--    1 root     root             0 Sep 29 06:52 /tmp/log/wtmp

Given that "logged in" potentially means

  • Interactive shell
  • Accessing LuCI
  • Running command over SSH
  • Running RPC call
  • ...

logging the events you're interested in may be a better approach. Of course, if anyone is logged in, they potentially can modify the logs. This is a classic IDS problem, which remote logging can mitigate somewhat.

Digging deeper -- from 10 years ago https://dev.archive.openwrt.org/ticket/2952

Symbol: BUSYBOX_CONFIG_FEATURE_WTMP [=n]

can be set in a from-source build. There may be a similar flag needed for dropbear, but I haven't checked.

2 Likes