vietnamspot.blogg.se

The logs will end up in /var/log/sftp.log: Mar 9 12:28:46 rhel6 internal-sftp: received client version 3 Or we can again use log_facility in /etc/ssh/sshd_config to achieve the same results: Subsystem sftp internal-sftp -l VERBOSE -f LOCA元Īnd in /etc/nf: input(type="imuxsock" Socket="/chroots/user/dev/log" CreatePath="on") Via socket in chroot, filtering by log facility Important is to set up SELinux rules for rsyslog, so that it has access to this socket, SELinux rules for sshd ( internal-sftp), so that it has access to the /chroots/user/ directory, and SELinux and Linux ACL for the socket directory /chroots/user/dev/ (default is 0700 root owned). This setup requires more configuration but gives clean results. Mar 9 10:53:40 user internal-sftp: lstat name "/" Mar 9 10:53:39 user internal-sftp: realpath "." If $fromhost = 'user' then /var/log/sftp.logĪfter restarting sshd and rsyslog, we can get these log entries in /var/log/sftp.log: Mar 9 10:53:39 user internal-sftp: received client version 3 The following example is for rsyslog v7 ( rsyslog7 package): input(type="imuxsock" HostName="user" Socket="/chroots/user/dev/log" CreatePath="on") If we want to log through the /dev/log socket in chroot, we set up /etc/ssh/sshd_config in the same way like in previous point, but we specify rsyslog configuration in /etc/rsyslog.d/nf, which creates the required socket automatically. This use case doesn't allow us to log into different files, because the log_facility option is honoured only for newly open log descriptors, but this is skipped in this case by the sftp-server. Mar 9 10:04:36 localhost sshd: lstat name "/" Mar 9 10:04:35 localhost sshd: realpath "."

In order to enable chroot, we need to modify /etc/ssh/sshd_config in this way: Subsystem sftp internal-sftp -l VERBOSEĪfter restarting sshd and performing sftp session with user from group sftponly, we will get these lines in /var/log/secure (note the process name sshd instead of sftp-server, because the file descriptor is owned by the privileged monitor, not the sftp-server) : Mar 9 10:04:35 localhost sshd: received client version 3 The base release of openssh doesn't have the ability to log from a chrooted environment, if there is no available and configured socket located in /dev/log. However, both options require to use the internal-sftp subsystem instead of the executable path like above, because there is no such file in chroot. The other case is to have a /dev/log socket configured, which should be honoured by sshd and has higher priority over logging through the monitor. This is useful if there are many users and no way to have a separate /dev/log socket in every chroot. One is chroot without any support files, which requires logging through a privileged monitor. When using chroot, there are basically two possibilities.

The messages are now logged to /var/log/sftp.log and owing to the presence of '&~' they would be limited to /var/log/sftp.log only. *.info mail.none authpriv.none cron.none /var/log/messages

If you'd like to log the sftp transactions in one specific only then edit the /etc/nf file to have the following lines :.

Mar 9 09:49:04 localhost sftp-server: lstat name "/root" Mar 9 09:49:02 localhost sftp-server: realpath "." If you want to achieve logging into a different file, you have to configure rsyslog to direct messages into the other file, for example using the log_facility option, in /etc/ssh/sshd_config: Subsystem sftp /usr/libexec/openssh/sftp-server -l VERBOSE -f LOCA元Īnd in /etc/nf: local3.* /var/log/sftp.logĪfter restarting sshd and rsyslog, you will find the following logs in /var/log/sftp.log: Mar 9 09:49:02 localhost sftp-server: received client version 3 Mar 9 09:39:09 localhost sftp-server: lstat name "/root" Mar 9 09:39:07 localhost sftp-server: realpath "." Logging without chroot Single fileīasically, if we don't use chroot, we can rely on the default configuration and the only thing needed is to allow logging from sftp-server by adding command-line arguments to the Subsystem sftp line in /etc/ssh/sshd_config: Subsystem sftp /usr/libexec/openssh/sftp-server -l VERBOSEĪfter restarting sshd and performing sftp session, these lines will appear in /var/log/messages: Mar 9 09:39:07 localhost sftp-server: received client version 3 On the next lines, I would like to elaborate on the possibilities. This was finally solved in RHEL 6 using file descriptor passing and in RHEL 7 this feature is achieved using a privileged monitor. In the past, there were problems with logging user activity in chrooted environment because of missing files to do so. Using sftp to store data on a file server became a popular and secure way.