openssh bugs - Sep 2008 - [Bug 1527] New: ForceCommand internal-sftp needs a way to enable logging

https://bugzilla.mindrot.org/show_bug.cgi?id=1527

           Summary: ForceCommand internal-sftp needs a way to enable
                    logging
           Product: Portable OpenSSH
           Version: 5.1p1
          Platform: Itanium2
        OS/Version: HP-UX
            Status: NEW
          Severity: minor
          Priority: P4
         Component: sftp-server
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: ombugr at mayoxide.com


I'm reporting a problem that I've seen a few times by googling, and
there doesn't seem to be a bug report on this yet.

When setting up an SFTP-only server, Damien suggested in the OpenBSD
journal to use a combination of ChrootDirectory and ForceCommand like
this. I've added the sftp subsystem as well since it's required.

Subsystem sftp internal-sftp
ForceCommand internal-sftp
ChrootDirectory /chroot

The previous settings work well as documented.

However, since internal-sftp doesn't do any logging by default, to
enable SFTP logging, this could be used in theory:

Subsystem sftp internal-sftp -l VERBOSE
ForceCommand internal-sftp
ChrootDirectory /chroot

That doesn't log anything either, the SFTP connection works but no
logging is performed. Just for your information, the jailed /dev/log
requirement is met.

Let's try this one:

Subsystem sftp internal-sftp -l VERBOSE
ForceCommand internal-sftp -l VERBOSE
ChrootDirectory /chroot

With these settings, connection is closed immediately by sshd. 

Just to illustrate my point, let's run a debug SFTP session with
ForceCommand commented out:

Subsystem sftp internal-sftp -l VERBOSE
#ForceCommand internal-sftp -l VERBOSE
ChrootDirectory /chroot

This time SFTP works, logs detailed information as expected in the
chrooted /dev/log, and gives me this:

debug1: subsystem: exec() internal-sftp -l VERBOSE
debug1: audit run command euid 0 user ftpitst command 'internal-sftp -l
VERBOSE'

So far so good. But if I put back ForceCommand in place, it closes the
connection immediately and gives me this:

debug1: subsystem: exec() internal-sftp -l VERBOSE
debug1: Forced command (config) 'internal-sftp -l VERBOSE'
debug1: audit run command euid 0 user ftpitst command 'internal-sftp -l
VERBOSE'

I'll be glad to provide more information if necessary.

Thanks

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1527





--- Comment #1 from Damien Miller <djm at mindrot.org>  2008-09-24
03:07:14 ---
Created an attachment (id=1569)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1569)
fix forcecommand internal-sftp

This patch fixes the problem, it has already been committed and will be
in openssh-5.2.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1527


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED
                 CC|                            |djm at mindrot.org




-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1527


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED




--- Comment #2 from Damien Miller <djm at mindrot.org>  2009-02-23
13:36:31 ---
Close bugs fixed/reviewed for openssh-5.2 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.