1. First party opens a protocol tunnel and after that an SSH Session with putty to the Endpoint. 2. Auditing party opens a protocol tunnel and after that an SSH Session with putty to the Endpoint. 3. Auditing party checks its own pts id with the following command: > who am i 4. Auditing party now checks who else is logged in with the following command: > who -a 5. Now remember the [ptsid] that is not your own (from Step 3). 6. Now we are going to "mirror" the other users SSH session: > tty=pts/[ptsid] > sudo peekfd -8cnd $(ps -fat | grep "$tty *Ss" | awk '{print$1}') 0 1 2 Alternatively a 3rd party tool like ssh-audit can be used for that purpose.