mschmitt · July 12, 2011 14:22
diff --git a/sshgrouplog.pl b/sshgrouplog.pl
 #!/usr/bin/perl -w
 use strict;
 use diagnostics;
 use File::Navigate;

 my $nav = File::Navigate->new($ARGV[0]);

 my @connects = @{$nav->find(qr/sshd\[\d+\]: Connection from .+ port \d/)};

 foreach (@connects){
 	$nav->cursor($_);
 	my $line = $nav->get();
 	print "$line\n";
 	$line =~ /sshd\[(\d+)\]:/;
 	my $parent_pid = $1;
 	my $child_pid = 0;
 	my $walked_lines = 0;
 	my $auth_success = 0;
 	while ($line = $nav->getnext()){
 		next unless ($line =~ /sshd\[(\d+)\]:/);
 		my $this_pid = $1;
 		if ($line =~ /sshd\[$parent_pid\]: Connection from .+ port \d/){
 			print "Stop: New connection on parent PID $parent_pid\n";
 			last;
 		}elsif ($line =~ /sshd\[$child_pid\]: Connection from .+ port \d/){
 			print "Stop: New connection on child PID $child_pid\n";
 			last;
 		}elsif ($line =~ /User child is on pid $parent_pid\b/){
 			print "Stop: Another user child on parent PID: $parent_pid\n";
 			last;
 		}elsif ($line =~ /User child is on pid $child_pid\b/){
 			print "Stop: Another user child on child PID: $child_pid\n";
 			last;
 		}elsif ($line =~ /sshd\[$parent_pid\]:.+session closed for user/){
 			$line .= "  <<< Done.";
 			print "$line\n";
 			last;
 		}
 		if ($this_pid == $parent_pid){
 			if ($line =~ /sshd\[$parent_pid\]: Accepted publickey/){
 				$line .= "  <<<< PUBKEY ACCEPTED";
 			}elsif ($line =~ /sshd\[$parent_pid\]:.+session opened/){
 				$line .= "  <<<< SESSION OPENED";
 				$auth_success = 1;
 			}elsif ($line =~ /sshd\[$parent_pid\]:.+User child is on pid (\d+)/){
 				$child_pid = $1;
 				$line .= "  <<< Got child PID: $child_pid";
 			}
 			print "$line\n" unless ($line =~ /Deprecated pam_stack module/);
 		}elsif ($this_pid == $child_pid){
 			print "$line\n" unless ($line =~ /Deprecated pam_stack module/);
 		}
 		if (++$walked_lines >= 10000){
 			print "Giving up search for parent $parent_pid / child $child_pid after $walked_lines lines.\n";
 			last;
 		}
 	}
 	print "Successful auth: " ;
 	if($auth_success){
 		print "YES";
 	}else{
 		print "NO";
 	}
 	print "\n";
 	print "---\n";
 }
	#!/usr/bin/perl -w
	use strict;
	use diagnostics;
	use File::Navigate;

	my $nav = File::Navigate->new($ARGV[0]);

	my @connects = @{$nav->find(qr/sshd\[\d+\]: Connection from .+ port \d/)};

	foreach (@connects){
	$nav->cursor($_);
	my $line = $nav->get();
	print "$line\n";
	$line =~ /sshd\[(\d+)\]:/;
	my $parent_pid = $1;
	my $child_pid = 0;
	my $walked_lines = 0;
	my $auth_success = 0;
	while ($line = $nav->getnext()){
	next unless ($line =~ /sshd\[(\d+)\]:/);
	my $this_pid = $1;
	if ($line =~ /sshd\[$parent_pid\]: Connection from .+ port \d/){
	print "Stop: New connection on parent PID $parent_pid\n";
	last;
	}elsif ($line =~ /sshd\[$child_pid\]: Connection from .+ port \d/){
	print "Stop: New connection on child PID $child_pid\n";
	last;
	}elsif ($line =~ /User child is on pid $parent_pid\b/){
	print "Stop: Another user child on parent PID: $parent_pid\n";
	last;
	}elsif ($line =~ /User child is on pid $child_pid\b/){
	print "Stop: Another user child on child PID: $child_pid\n";
	last;
	}elsif ($line =~ /sshd\[$parent_pid\]:.+session closed for user/){
	$line .= " <<< Done.";
	print "$line\n";
	last;
	}
	if ($this_pid == $parent_pid){
	if ($line =~ /sshd\[$parent_pid\]: Accepted publickey/){
	$line .= " <<<< PUBKEY ACCEPTED";
	}elsif ($line =~ /sshd\[$parent_pid\]:.+session opened/){
	$line .= " <<<< SESSION OPENED";
	$auth_success = 1;
	}elsif ($line =~ /sshd\[$parent_pid\]:.+User child is on pid (\d+)/){
	$child_pid = $1;
	$line .= " <<< Got child PID: $child_pid";
	}
	print "$line\n" unless ($line =~ /Deprecated pam_stack module/);
	}elsif ($this_pid == $child_pid){
	print "$line\n" unless ($line =~ /Deprecated pam_stack module/);
	}
	if (++$walked_lines >= 10000){
	print "Giving up search for parent $parent_pid / child $child_pid after $walked_lines lines.\n";
	last;
	}
	}
	print "Successful auth: " ;
	if($auth_success){
	print "YES";
	}else{
	print "NO";
	}
	print "\n";
	print "---\n";
	}