Posted by niol on Mon 4 May 2009 at 14:01
Finally following up on the previous article on the subject, I found some time to investigate logging what happens in an internal-sftp session using rsyslog.
Simply create a dev directory in each one of the chosen user chroot directories.
# mkdir /home/user/dev
Simply drop the following contents in /etc/rsyslog.d/sshd.conf :
# Create an additional socket for some of the sshd chrooted users. $AddUnixListenSocket /var/fileserv/dev/log # Log internal-sftp in a separate file :programname, isequal, "internal-sftp" -/var/log/sftp.log :programname, isequal, "internal-sftp" ~
From the previous article, /etc/sshd_config should be changed. The Subsystem sftp line should read :
Subsystem sftp internal-sftp -l VERBOSE
The Match sections should look like the following.
Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -l VERBOSE
Because of a limitation bug in OpenSSH, the ForceCommand line cannot be used with logging parameters on versions earlier than 5.2. But omitting the ForceCommand directive implicitely provides the user shell access in the chrooted directory if he has upload privileges. Therefore, this is in my view a security risk, and that is why I would say that enabling logging in this configuration requires OpenSSH 5.2 or later.
Drop the following file in /etc/logrotate.d :
/var/log/sftp.log {
weekly
missingok
rotate 52
compress
delaycompress
postrotate
invoke-rc.d rsyslog reload > /dev/null
endscript
}
Any comments on this solution are very welcome.
This article can be found online at the Debian Administration website at the following bookmarkable URL (along with associated comments):
This article is copyright 2009 niol - please ask for permission to republish or translate.