Good afternoon. I'm new to the list, so apologies in advance if the noob in me comes through too loudly.>From things I've read in the distant past, I have the impression thatthe OpenSSH project tries to keep new features to a minimum, and there are good security reasons to do this. That said, one feature that I feel would be a good addition to OpenSSH is the ability to send logs via UDP directly to a syslog server. It seems to me that the benefits of this approach include: 1. No need to setup /dev/log in every chroot. This is a huge plus for anyone dealing with a large number of chrooted users or in environments where the underlying filesystem has the "nodevices" flag set (I have both). 2. The logs are sent directly from the application, with no reliance on the syslogd of the host OS. For users that have separation of responsibilities, having logs go directly to a syslog server maintained by a separate group is a plus since it's more difficult to tamper with the logs. 3. The code to add the ability to send the log messages over UDP to a server is relatively trivial and requires only minimal changes to the existing code. That is, it's relatively self contained. 4. I've written code to do this, but wanted to gauge the reaction of the group before I attempt to submit anything. I understand if there's no interest in adding this to the existing OpenSSH code base, but thought I should at least pose the question. I'm also interested to hear comments and thoughts about the pros and cons of adding functionality like this. Regards, Matt
Matt Warner wrote:> I've written code to do this, but wanted to gauge the reaction of > the group before I attempt to submit anything.I'd suggest to submit it upstream, ie. OpenSSH in OpenBSD. I for one think there is a point to have it, especially for the chrooted case. //Peter
On Fri, May 18, 2012 at 05:24:23PM -0700, Matt Warner wrote:> From things I've read in the distant past, I have the impression that > the OpenSSH project tries to keep new features to a minimum, and there > are good security reasons to do this. That said, one feature that I > feel would be a good addition to OpenSSH is the ability to send logs > via UDP directly to a syslog server. It seems to me that the benefits > of this approach include: > > 1. No need to setup /dev/log in every chroot. This is a huge plus > for anyone dealing with a large number of chrooted users or in > environments where the underlying filesystem has the "nodevices" flag > set (I have both).One of the down sides of using UDP is that it's less trustworthy than the local socket since it's easier to spoof. Anyway, you could link in an alternative implementation of the syslog functions at build time that do anything you want, you wouldn't need to change the code. Just implement openlog, syslog and closelog (or the _r equivalents, if that's what your platform has) then ./configure --with-libs=-lyoursyslog. An alternative might be to use the existing code for sending log messages to the monitor (which is not chrooted). Much of the code already exists (it was added in 5.9): - djm at cvs.openbsd.org 2011/06/17 21:44:31 [log.c log.h monitor.c monitor.h monitor_wrap.c monitor_wrap.h sshd.c] make the pre-auth privsep slave log via a socketpair shared with the monitor rather than /var/empty/dev/log; ok dtucker@ deraadt@ markus@ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.