From 3c20e854aab209494f68be2c2b26706d0598657f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Torjus=20H=C3=A5kestad?= <torjus@usit.uio.no>
Date: Sun, 15 Feb 2026 17:25:52 +0100
Subject: [PATCH] docs: add plan for capturing SSH exec commands (PLAN.md 4.4)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 PLAN.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/PLAN.md b/PLAN.md
index 32b213e..6efb77a 100644
--- a/PLAN.md
+++ b/PLAN.md
@@ -200,3 +200,13 @@ Goal: Make the web UI great and add operational niceties.
 - Embed a lightweight GeoIP database or use an API ✅
 - Store country/city with each attempt ✅
 - Aggregate stats by country ✅
+
+### 4.4 Capture SSH Exec Commands
+Many bots send a command directly via `ssh user@host <command>` (an SSH "exec" request) rather than requesting an interactive shell. Currently these are rejected and the command is lost. We should capture them.
+
+- Handle `"exec"` request type in the server's request loop (alongside `"pty-req"` and `"shell"`)
+- Parse the command string from the exec payload
+- Add an `exec_command` column (nullable) to the `sessions` table via a new migration
+- Store the command on the session record before closing the channel
+- Optionally return plausible fake output for common commands (e.g. `uname`, `id`, `cat /etc/passwd`) to encourage further interaction
+- Surface exec commands in the web UI (session detail view)