Skip to content
Shell wrapper to run a login shell with `sudo` as the current user for the purpose of audit logging
Branch: master
Clone or download
solairerove and osterman Migrate to README.yaml template (#12)
Migrate to README.yaml template
Latest commit 62db621 Jan 5, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Initial commit Feb 28, 2017
README.yaml Migrate to README.yaml template (#12) Jan 4, 2019


Cloud Posse

Sudo Shell Build Status Latest Release GitHub Stars Average time to resolve an issue Percentage of issues still open Slack Community

Sudo Shell is a wrapper to run a login shell with sudo for the purpose of session audit logging.

This project is part of our comprehensive "SweetOps" approach towards DevOps.

It's 100% Open Source and licensed under the APACHE2.


The sudo command provides built-in session logging. Combined with sudoreplay it provides an easy way to review session logs on a bastion host. When used as a system login shell, it will force session logging.

Another common pattern is to use the OpenSSH ForceCommand directive in sshd_config combined with the script command to log sessions. This is ineffective because the user can easily bypass it.
Using sudosh provides a more secure alternative that cannot be bypassed since it does not depend on ForceCommand.


Here's how to use it in 3 easy steps. Checkout the precompiled releases if you don't want to build it yourself...:

  1. Enable sudo logging. Edit /etc/sudoers.d/sudosh:
Defaults log_output
Defaults!/usr/bin/sudoreplay !log_output
Defaults!/sbin/reboot !log_output
  1. Add this command to /etc/shells:

Tip: to prevent users from using other shells to login, remove those shells from /etc/shells.

  1. Update the user foobar to use the sudosh shell.
chsh -s /usr/bin/sudosh foobar
echo 'foobar ALL=(foobar) ALL' > /etc/sudoers.d/sudosh-foobar

NOTE: filenames in sudoers.d cannot contain the . character


Got a question?

File a GitHub issue, send us an email or join our Slack Community.

README Commercial Support

Commercial Support

Work directly with our team of DevOps experts via email, slack, and video conferencing.

We provide commercial support for all of our Open Source projects. As a Dedicated Support customer, you have access to our team of subject matter experts at a fraction of the cost of a full-time engineer.


  • Questions. We'll use a Shared Slack channel between your team and ours.
  • Troubleshooting. We'll help you triage why things aren't working.
  • Code Reviews. We'll review your Pull Requests and provide constructive feedback.
  • Bug Fixes. We'll rapidly work to fix any bugs in our projects.
  • Build New Terraform Modules. We'll develop original modules to provision infrastructure.
  • Cloud Architecture. We'll assist with your cloud strategy and design.
  • Implementation. We'll provide hands-on support to implement our reference architectures.

Slack Community

Join our Open Source Community on Slack. It's FREE for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally sweet infrastructure.


Signup for our newsletter that covers everything on our technology radar. Receive updates on what we're up to on GitHub as well as awesome new projects we discover.


Bug Reports & Feature Requests

Please use the issue tracker to report any bugs or file feature requests.


If you are interested in being a contributor and want to get involved in developing this project or help out with our other projects, we would love to hear from you! Shoot us an email.

In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

  1. Fork the repo on GitHub
  2. Clone the project to your own machine
  3. Commit changes to your own branch
  4. Push your work back up to your fork
  5. Submit a Pull Request so that we can review your changes

NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!


Copyright © 2017-2018 Cloud Posse, LLC



See LICENSE for full details.

Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements.  See the NOTICE file
distributed with this work for additional information
regarding copyright ownership.  The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License.  You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
KIND, either express or implied.  See the License for the
specific language governing permissions and limitations
under the License.


All other trademarks referenced herein are the property of their respective owners.


This project is maintained and funded by Cloud Posse, LLC. Like it? Please let us know by leaving a testimonial!

Cloud Posse

We're a DevOps Professional Services company based in Los Angeles, CA. We ❤️ Open Source Software.

We offer paid support on all of our projects.

Check out our other projects, follow us on twitter, apply for a job, or hire us to help with your cloud strategy and implementation.


Erik Osterman
Erik Osterman

README Footer Beacon

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.