New User? Register here - Existing Users: Username: Password: [Advanced Login]

 

 

Current Poll

What language for system administration do you use ?







( 608 votes ~ 1 comments )

 

OpenSSH logging with ChrootDirectory

Posted by niol on Mon 4 May 2009 at 14:01

Tags: , , , ,

Finally following up on the previous article on the subject, I found some time to investigate logging what happens in an internal-sftp session using rsyslog.

Making syslog available in the chroot

Simply create a dev directory in each one of the chosen user chroot directories.

# mkdir /home/user/dev

Configuring rsyslog to probe the new logging source

Simply drop the following contents in /etc/rsyslog.d/sshd.conf :

# Create an additional socket for some of the sshd chrooted users.
$AddUnixListenSocket /var/fileserv/dev/log

# Log internal-sftp in a separate file
:programname, isequal, "internal-sftp" -/var/log/sftp.log
:programname, isequal, "internal-sftp" ~

Configuring openssh for logging

From the previous article, /etc/sshd_config should be changed. The Subsystem sftp line should read :

Subsystem sftp internal-sftp -l VERBOSE

The Match sections should look like the following.

Match group sftponly
         ChrootDirectory /home/%u
         X11Forwarding no
         AllowTcpForwarding no
         ForceCommand internal-sftp -l VERBOSE

Because of a limitation bug in OpenSSH, the ForceCommand line cannot be used with logging parameters on versions earlier than 5.2. But omitting the ForceCommand directive implicitely provides the user shell access in the chrooted directory if he has upload privileges. Therefore, this is in my view a security risk, and that is why I would say that enabling logging in this configuration requires OpenSSH 5.2 or later.

Log rotation for the new log file

Drop the following file in /etc/logrotate.d :

/var/log/sftp.log {
        weekly
        missingok
        rotate 52
        compress
        delaycompress
        postrotate
                invoke-rc.d rsyslog reload > /dev/null
        endscript
}
Any comments on this solution are very welcome.
Share/Save/Bookmark
Add Comment XML logo Printable version

 

<<< A brief introduction to mod_perl - Part 2 Where art thou? - CDPR >>>

#1
Re: OpenSSH logging with ChrootDirectory
Posted by Anonymous (187.152.xx.xx) on Mon 4 May 2009 at 23:22
hi

i tried to do it but i can the logs from not chroot users. on the last step i nemed ssh to file into logrotate.d. is that correct?.

i m using debian 5 and openssh 5.2

thanks

[ Parent | Reply to this comment ]

#2
Re: OpenSSH logging with ChrootDirectory
Posted by Anonymous (208.247.xx.xx) on Tue 19 May 2009 at 20:03
Tried this with openssh's portable 5.2 compiled on Redhat el5 update 3. It doesn't error out, but the extended logging features don't seem to do anything. For example, if chrooting is not enabled you can use arguments -f AUTHPRIV -l DEBUG3 to log every single sftp command to /var/log/secure. Doing the same thing with this solution doesn't include the additional logging.

[ Parent | Reply to this comment ]

#3
Re: OpenSSH logging with ChrootDirectory
Posted by Anonymous (208.247.xx.xx) on Tue 19 May 2009 at 20:45
I was missing a chrooted /dev/log. I created a dev/ dir in one of the chrooted user's home dirs, and appended '-u /home/someuser/dev/log' to the SYSLOGD start options and restarted syslog. It logs properly now, but because this requires modifying the syslog config & restarting syslog for every new user I will probably abandon this approach.

[ Parent | Reply to this comment ]

#4
Re: OpenSSH logging with ChrootDirectory
Posted by Anonymous (208.247.xx.xx) on Tue 19 May 2009 at 20:46
that should be -a, not -u for the syslogd options.

[ Parent | Reply to this comment ]

#5
Re: OpenSSH logging with ChrootDirectory
Posted by Anonymous (193.186.xx.xx) on Wed 21 Apr 2010 at 13:34
could you explain exactly what you have done ? where did you put the line '-a /home/someuser/dev/log'

[ Parent | Reply to this comment ]

 

 

Flattr