openssh and sftp logging

phospher

Member

Thanks: 1
Messages: 75

#1
Hi,

I'm using openssh 5.1 on FreeBSD 7.2. I'm using the chroot feature in openssh and allowing my users to connect using sftp clients. I want to know if there is anyway to log sftp logins to wtmp. I would like to be able to use the command `last` so that I can see login dates etc..

Also, is there anyway to log the file transactions similiar to what you would have in vsftpd in the vsftpd.log?

Thanks in advance.
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 2,670
Messages: 11,235

#3
man-server appears to be down (from here anyway):

Code:
SFTP-SERVER(8)          FreeBSD System Manager's Manual         SFTP-SERVER(8)

NAME
     sftp-server -- SFTP server subsystem

SYNOPSIS
     sftp-server [-f log_facility] [-l log_level]

DESCRIPTION
     sftp-server is a program that speaks the server side of SFTP protocol to
     stdout and expects client requests from stdin.  sftp-server is not
     intended to be called directly, but from sshd(8) using the Subsystem
     option.

     Command-line flags to sftp-server should be specified in the Subsystem
     declaration.  See sshd_config(5) for more information.

     Valid options are:

     -f log_facility
             Specifies the facility code that is used when logging messages
             from sftp-server.  The possible values are: DAEMON, USER, AUTH,
             LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
             The default is AUTH.

     -l log_level
             Specifies which messages will be logged by sftp-server.  The pos-
             sible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,
             DEBUG1, DEBUG2, and DEBUG3.  [B]INFO and VERBOSE log transactions
             that sftp-server performs on behalf of the client.[/B]  DEBUG and
             DEBUG1 are equivalent.  DEBUG2 and DEBUG3 each specify higher
             levels of debugging output.  The default is ERROR.

     For logging to work, sftp-server must be able to access /dev/log.  Use of
     sftp-server in a chroot configuation therefore requires that syslogd(8)
     establish a logging socket inside the chroot directory.

SEE ALSO
     sftp(1), ssh(1), sshd_config(5), sshd(8)

     T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
     filexfer-00.txt, January 2001, work in progress material.

HISTORY
     sftp-server first appeared in OpenBSD 2.8.

AUTHORS
     Markus Friedl <markus@openbsd.org>

FreeBSD 7.2                      July 18 2008                      FreeBSD 7.2
 

vivek

Aspiring Daemon

Thanks: 194
Messages: 805

#5
Also, is there anyway to log the file transactions similiar to what you would have in vsftpd in the vsftpd.log?
Noop.


If you need vsftpd kind of log file with ftp security turn on SSL/TLS support in VSFTPD. VSFTPD also chroot users to their directory. It also supports virtual users (which is not supported by sftp-server and openssh).
 
OP
OP
P

phospher

Member

Thanks: 1
Messages: 75

#6
yeah, i use to use vsftpd but i switched to sftp with openssh because it only runs over one port and easier managed when your ISP blocks ports.
 
OP
OP
P

phospher

Member

Thanks: 1
Messages: 75

#8
you got it. so i'm messing with the log facility and log level but I don't see how I can get the user logins to appear in wtmp using the last command. any suggestions?
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 2,670
Messages: 11,235

#9
Switch to sftp-server .... It has the stuff you want built-in, and it's just as much part of openssh. Ok, so maybe not that particular wtmp stuff, but you can pipe the syslog output to a script and harvest whatever data you need.
 
OP
OP
P

phospher

Member

Thanks: 1
Messages: 75

#10
the important thing here is that I need to chroot my users who connect via sftp. according to the openssh article found here: http://undeadly.org/cgi?action=article&sid=20080220110039

i must use "Subsystem sftp internal-sftp" within my sshd_config file for the chroot to work. perhaps i'm missing something or there is a better way to do this?

this all is working perfectly but as i've stated my only concern is the logging or lack thereof.
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 2,670
Messages: 11,235

#11
As the man page says, chrooting is totally feasible:

Code:
Use of
     sftp-server in a chroot configuation therefore requires that syslogd(8)
     establish a logging socket inside the chroot directory.
I think that's covered by a simple [cmd=]syslogd -s -l /some/chroot/dev/log[/cmd]
 

MarS

Member

Thanks: 3
Messages: 20

#12
I'd also like to have SFTP including logging. When I use
Code:
Subsystem      sftp    internal-sftp
everything works fine (except logging).

I added the following to rc.conf:
Code:
syslogd_flags="-s -l /home/chrootdir/dev/log"
Now when I replace the sftp subsystem in /etc/ssh/sshd_config with
Code:
Subsystem       sftp    /usr/libexec/sftp-server -l DEBUG3
I can't use SFTP anymore because the SFTP client can't login.

/var/log/auth.log:
Code:
subsystem request for sftp
error: subsystem: cannot stat /usr/libexec/sftp-server: No such file or directory
subsystem request for sftp failed, subsystem not found
All I added to /etc/ssh/sshd_config is:
Code:
Match User user 
        ChrootDirectory /home/chrootdir
But /usr/libexec/sftp-server is there:
Code:
-r-xr-xr-x  1 root  wheel  33672 Dec  4 15:47 /usr/libexec/sftp-server
I am sure there is something I am missing... Is there somebody with a working chrooted SFTP setup using sftp-server?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 6,416
Messages: 27,728

#13
MarS said:
But /usr/libexec/sftp-server is there:
-r-xr-xr-x 1 root wheel 33672 Dec 4 15:47 /usr/libexec/sftp-server
Yes, but it doesn't exist in the chroot'ed environment.
 

MarS

Member

Thanks: 3
Messages: 20

#14
SirDice said:
Yes, but it doesn't exist in the chroot'ed environment.
Tried that and copied /usr/libexec/sftp-server to /home/chrootdir/usr/libexec/sftp-server (also dependencies as listed by ldd). When I now try to login with my SFTP client, in /var/log/auth.log I get:
Code:
Accepted keyboard-interactive/pam for user from 192.168.1.106 port 51622 ssh2
subsystem request for sftp
That's it. I'm already at DEBUG3 level, so I can't make sftp-server more verbose.
 

mix_room

Aspiring Daemon

Thanks: 47
Messages: 598

#16
Just for completeness sake, as I solved this same problem today:

In /etc/ssh/sshd_config
Code:
Subsystem       sftp    internal-sftp -f AUTH -l VERBOSE

Match group SFTP-USER 
        ChrootDirectory /ChrootDir/
        ForceCommand    internal-sftp -f AUTH -l VERBOSE
and then restarted rc.d/sshd
In syslog.conf I have
Code:
auth.info;authpriv.info                         /var/log/auth.log
I have all transfers logged to /var/log/auth.log now.

What might have been your problem is the path to the Chroot directory. For some reason sshd seems to believe that the chrooting should be at the user's home directory. That is if you have /ChrootDir/ as the ChrootDirectory, sshd will try to Chroot into $USERHOME/ChrootDir/ which might not be around.
 

Sigfrido

New Member


Messages: 17

#18
mix_room said:
Just for completeness sake, as I solved this same problem today:

In /etc/ssh/sshd_config
Code:
Subsystem       sftp    internal-sftp -f AUTH -l VERBOSE

Match group SFTP-USER 
        ChrootDirectory /ChrootDir/
        ForceCommand    internal-sftp -f AUTH -l VERBOSE
and then restarted rc.d/sshd
In syslog.conf I have
Code:
auth.info;authpriv.info                         /var/log/auth.log
I have all transfers logged to /var/log/auth.log now.

What might have been your problem is the path to the Chroot directory. For some reason sshd seems to believe that the chrooting should be at the user's home directory. That is if you have /ChrootDir/ as the ChrootDirectory, sshd will try to Chroot into $USERHOME/ChrootDir/ which might not be around.
Same configuration but it doesn't work; what is the homedir of the user you used to connect to sftp-server?

My conf:

Code:
sftp:*:1003:1001::0:0:SFTP Users:/xxx/yyy:/sbin/nologin
in /etc/sshd_config:

Code:
Subsystem       sftp    internal-sftp -f AUTH -l VERBOSE

Match group sftp
        ChrootDirectory /xxx/yyy
        ForceCommand    internal-sftp -f AUTH -l VERBOSE
where ChrootDirectory is the same home directory of the sftp user.

Permissions:

Code:
drwxr-xr-x  22 root      wheel     512 Nov  7 14:06 [b]yyy[/b]
sftp can log in directly in /xxx/yyy/, but syslogd doesn't log his activity.
 

mix_room

Aspiring Daemon

Thanks: 47
Messages: 598

#19
Sigfrido said:
same configuration but it doesn't work; what is the homedir of the user you used to connect to sftp-server?
They have different ones. I have one which has / as the home-directory, one which has /home/$USER and one which has $CHROOTPLACEHOLDER/$USER. They all show up in the logging.

Did you remember to restart syslogd?
 

Sigfrido

New Member


Messages: 17

#20
Yep, without results: as usual syslog logs in /var/log/auth.log only logins but not activity via sftp.

Any clue?

Did you edit /etc/rc.conf with:
Code:
syslogd_flags="-s -l /ChrootDirectory/dev/log"
I didn't understand if you followed what syslogd(8) says:

Code:
For logging to work, sftp-server must be able to access /dev/log.	Use of
     sftp-server in a chroot configuration therefore requires that syslogd(8)
     establish a logging socket inside the chroot directory.
 

Sigfrido

New Member


Messages: 17

#21
Update.

I've created the directory and a log file:

Code:
# mkdir /ChrootDirectory/dev/
# chmod 755 /ChrootDirectory/dev/
# touch /ChrootDirectory/dev/log
Maybe it works linking /dev/log, like:
Code:
ln /dev/log /ChrootDirectory/dev/log
but I didn't try it.

Next, I've updated /etc/rc.conf with:

Code:
syslogd_flags="-s -l /ChrootDirectory/dev/log"
Restarted services, and it worked; now I can see the activity entries in /var/log/auth.log, like:

Code:
myserver internal-sftp[1249]: open "/mydomain/file1.html" flags READ mode 0666
myserver internal-sftp[1249]: close "/mydomain/file1.html" bytes read 3443 written 0
Is there a way to hide or make inaccessible /ChrootDirectory/dev/log to the Chrooted user w/o compromising logging activity?

@DutchDaemon: thanks for fixing post format
 
Top