Hi,

I'm using openssh 5.1 on FreeBSD 7.2. I'm using the chroot feature in openssh and allowing my users to connect using sftp clients. I want to know if there is anyway to log sftp logins to wtmp. I would like to be able to use the command `last` so that I can see login dates etc..

Also, is there anyway to log the file transactions similiar to what you would have in vsftpd in the vsftpd.log?

Thanks in advance.

sftp-server?

man-server appears to be down (from here anyway):


SFTP-SERVER(8) FreeBSD System Manager's Manual SFTP-SERVER(8)

NAME
sftp-server -- SFTP server subsystem

SYNOPSIS
sftp-server [-f log_facility] [-l log_level]

DESCRIPTION
sftp-server is a program that speaks the server side of SFTP protocol to
stdout and expects client requests from stdin. sftp-server is not
intended to be called directly, but from sshd(8) using the Subsystem
option.

Command-line flags to sftp-server should be specified in the Subsystem
declaration. See sshd_config(5) for more information.

Valid options are:

-f log_facility
Specifies the facility code that is used when logging messages
from sftp-server. The possible values are: DAEMON, USER, AUTH,
LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.

-l log_level
Specifies which messages will be logged by sftp-server. The pos-
sible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,
DEBUG1, DEBUG2, and DEBUG3. INFO and VERBOSE log transactions
that sftp-server performs on behalf of the client. DEBUG and
DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher
levels of debugging output. The default is ERROR.

For logging to work, sftp-server must be able to access /dev/log. Use of
sftp-server in a chroot configuation therefore requires that syslogd(8)
establish a logging socket inside the chroot directory.

SEE ALSO
sftp(1), ssh(1), sshd_config(5), sshd(8)

T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
filexfer-00.txt, January 2001, work in progress material.

HISTORY
sftp-server first appeared in OpenBSD 2.8.

AUTHORS
Markus Friedl <markus@openbsd.org>

FreeBSD 7.2 July 18 2008 FreeBSD 7.2

I'm using "internal-sftp"

Also, is there anyway to log the file transactions similiar to what you would have in vsftpd in the vsftpd.log?
Noop.


If you need vsftpd kind of log file with ftp security turn on SSL/TLS support in VSFTPD. VSFTPD also chroot users to their directory. It also supports virtual users (which is not supported by sftp-server and openssh).

yeah, i use to use vsftpd but i switched to sftp with openssh because it only runs over one port and easier managed when your ISP blocks ports.

Yes, classic ISP stuff.. you can't have your cake and eat it too!

you got it. so i'm messing with the log facility and log level but I don't see how I can get the user logins to appear in wtmp using the last command. any suggestions?

Switch to sftp-server .... It has the stuff you want built-in, and it's just as much part of openssh. Ok, so maybe not that particular wtmp stuff, but you can pipe the syslog output to a script and harvest whatever data you need.

the important thing here is that I need to chroot my users who connect via sftp. according to the openssh article found here: http://undeadly.org/cgi?action=article&sid=20080220110039

i must use "Subsystem sftp internal-sftp" within my sshd_config file for the chroot to work. perhaps i'm missing something or there is a better way to do this?

this all is working perfectly but as i've stated my only concern is the logging or lack thereof.

As the man page says, chrooting is totally feasible:

Use of
sftp-server in a chroot configuation therefore requires that syslogd(8)
establish a logging socket inside the chroot directory.

I think that's covered by a simple syslogd -s -l /some/chroot/dev/log

I'd also like to have SFTP including logging. When I use
Subsystem sftp internal-sftp
everything works fine (except logging).

I added the following to rc.conf:
syslogd_flags="-s -l /home/chrootdir/dev/log"

Now when I replace the sftp subsystem in /etc/ssh/sshd_config with
Subsystem sftp /usr/libexec/sftp-server -l DEBUG3 I can't use SFTP anymore because the SFTP client can't login.

/var/log/auth.log:
subsystem request for sftp
error: subsystem: cannot stat /usr/libexec/sftp-server: No such file or directory
subsystem request for sftp failed, subsystem not found


All I added to /etc/ssh/sshd_config is:
Match User user
ChrootDirectory /home/chrootdir

But /usr/libexec/sftp-server is there:
-r-xr-xr-x 1 root wheel 33672 Dec 4 15:47 /usr/libexec/sftp-server

I am sure there is something I am missing... Is there somebody with a working chrooted SFTP setup using sftp-server?

But /usr/libexec/sftp-server is there:
-r-xr-xr-x 1 root wheel 33672 Dec 4 15:47 /usr/libexec/sftp-server
Yes, but it doesn't exist in the chroot'ed environment.

Yes, but it doesn't exist in the chroot'ed environment.

Tried that and copied /usr/libexec/sftp-server to /home/chrootdir/usr/libexec/sftp-server (also dependencies as listed by ldd). When I now try to login with my SFTP client, in /var/log/auth.log I get:
Accepted keyboard-interactive/pam for user from 192.168.1.106 port 51622 ssh2
subsystem request for sftp

That's it. I'm already at DEBUG3 level, so I can't make sftp-server more verbose.

Answering myself here ...

Just quickly tried the newest version of ftp/proftpd-devel including SFTP support (http://www.freebsd.org/cgi/query-pr.cgi?pr=143018) and it works beautifully including logging.

Just for completeness sake, as I solved this same problem today:

In /etc/ssh/sshd_config

Subsystem sftp internal-sftp -f AUTH -l VERBOSE

Match group SFTP-USER
ChrootDirectory /ChrootDir/
ForceCommand internal-sftp -f AUTH -l VERBOSE


and then restarted rc.d/sshd
In syslog.conf I have

auth.info;authpriv.info /var/log/auth.log


I have all transfers logged to /var/log/auth.log now.

What might have been your problem is the path to the Chroot directory. For some reason sshd seems to believe that the chrooting should be at the user's home directory. That is if you have /ChrootDir/ as the ChrootDirectory, sshd will try to Chroot into $USERHOME/ChrootDir/ which might not be around.

Another alternative is using the MySecureShell (http://mysecureshell.sourceforge.net/en/index.html) which comes with sftp logging.

Just for completeness sake, as I solved this same problem today:

In /etc/ssh/sshd_config

Subsystem sftp internal-sftp -f AUTH -l VERBOSE

Match group SFTP-USER
ChrootDirectory /ChrootDir/
ForceCommand internal-sftp -f AUTH -l VERBOSE


and then restarted rc.d/sshd
In syslog.conf I have

auth.info;authpriv.info /var/log/auth.log


I have all transfers logged to /var/log/auth.log now.

What might have been your problem is the path to the Chroot directory. For some reason sshd seems to believe that the chrooting should be at the user's home directory. That is if you have /ChrootDir/ as the ChrootDirectory, sshd will try to Chroot into $USERHOME/ChrootDir/ which might not be around.

Same configuration but it doesn't work; what is the homedir of the user you used to connect to sftp-server?

My conf:

sftp:*:1003:1001::0:0:SFTP Users:/xxx/yyy:/sbin/nologin

in /etc/sshd_config:


Subsystem sftp internal-sftp -f AUTH -l VERBOSE

Match group sftp
ChrootDirectory /xxx/yyy
ForceCommand internal-sftp -f AUTH -l VERBOSE


where ChrootDirectory is the same home directory of the sftp user.

Permissions:

drwxr-xr-x 22 root wheel 512 Nov 7 14:06 yyy

sftp can log in directly in /xxx/yyy/, but syslogd doesn't log his activity.

same configuration but it doesn't work; what is the homedir of the user you used to connect to sftp-server?

They have different ones. I have one which has / as the home-directory, one which has /home/$USER and one which has $CHROOTPLACEHOLDER/$USER. They all show up in the logging.

Did you remember to restart syslogd?

Yep, without results: as usual syslog logs in /var/log/auth.log only logins but not activity via sftp.

Any clue?

Did you edit /etc/rc.conf with:syslogd_flags="-s -l /ChrootDirectory/dev/log"

I didn't understand if you followed what syslogd says:

For logging to work, sftp-server must be able to access /dev/log. Use of
sftp-server in a chroot configuration therefore requires that syslogd(8)
establish a logging socket inside the chroot directory.

Update.

I've created the directory and a log file:

# mkdir /ChrootDirectory/dev/
# chmod 755 /ChrootDirectory/dev/
# touch /ChrootDirectory/dev/log

Maybe it works linking /dev/log, like:
ln /dev/log /ChrootDirectory/dev/log

but I didn't try it.

Next, I've updated /etc/rc.conf with:

syslogd_flags="-s -l /ChrootDirectory/dev/log"

Restarted services, and it worked; now I can see the activity entries in /var/log/auth.log, like:

myserver internal-sftp[1249]: open "/mydomain/file1.html" flags READ mode 0666
myserver internal-sftp[1249]: close "/mydomain/file1.html" bytes read 3443 written 0

Is there a way to hide or make inaccessible /ChrootDirectory/dev/log to the Chrooted user w/o compromising logging activity?

@DutchDaemon: thanks for fixing post format