openssh unix dev - Jun 2008 - ForceCommand internal-sftp causes sftp logging to fail (openssh-5.0p1)

Hi guys,
	I have a server setup with openssh-5.0p1 and use some users as
sftp-only chroot accounts.

	The following configuration yields exactly the result I want:
user is chrooted, logs to syslog, all is good.

#================================================#
Subsystem sftp internal-sftp -f AUTHPRIV -l VERBOSE

Match User fredwww
   ChrootDirectory %h
   #ForceCommand internal-sftp
#================================================#

	If I un-comment ForceCommand internal-sftp, syslog no longer
logs activity from internal-sftp.

	I have the <CHROOT_DIR>/dev/log setup with my syslog, and as I
said, without ForceCommand it works fine.

	I looked through the source, but am not super c savvy so I could
not see why this would cause a problem, but I think it has to do with
the -f -l arguments not getting through properly to sftp-server.

	I would be happy to provide more information to get this sorted,
let me know what you need or if I am missing something blatant please.

Thank you,

Fred Kilbourn

Larry,
	I tried this:

		ForceCommand internal-sftp -f AUTHPRIV -l VERBOSE

	But when I add either -f or -l flag, the connection is dropped
by the server as soon as I authenticate.

	Should I be quoting the arguments in some way on the
ForceCommand line?  Or is there another way to pass these parameters
along?  Or, is this something that openssh is not handling correctly?

	The following clip from a full debug test session:

debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request subsystem reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req subsystem
subsystem request for sftp
debug1: subsystem: exec() internal-sftp -f AUTHPRIV -l INFO
debug1: Forced command (config) 'internal-sftp -f AUTHPRIV -l INFO'
debug2: fd 3 setting TCP_NODELAY
debug2: fd 9 setting O_NONBLOCK
debug3: fd 9 is O_NONBLOCK
debug2: notify_done: reading
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 2652
debug1: session_exit_message: session 0 channel 0 pid 2652
debug2: channel 0: request exit-status confirm 0
debug1: session_exit_message: release channel 0

Thanks,

Fred Kilbourn
Kilbourn Consulting, LLC
www.kilbournconsulting.com
231-392-3752
fred at fredk.com
> -----Original Message-----
> From: larry.l.becke at marshpm.com [mailto:larry.l.becke at marshpm.com]
> Sent: Wednesday, June 25, 2008 11:08 AM
> To: Fred Kilbourn
> Subject: ForceCommand internal-sftp causes sftp logging to fail
> (openssh-5.0p1)
> 
> 
> #================================================#
> Subsystem sftp internal-sftp -f AUTHPRIV -l VERBOSE
> 
> Match User fredwww
>    ChrootDirectory %h
>    #ForceCommand internal-sftp -f AUTHPRIV -l VERBOSE
> #================================================#
> 
> Modify the ForceCommand to use the same parameters as the Subsystem
> call....
> 
> You are overriding the Subsystem call with the forcecommand, so you
> must
> add the parms there as well.
> 
> 
> 
> Larry Becke, Sr. Technical Analyst
> MMC Global Technology Infrastructure | Centralized Operations
> 12421 Meredith Drive, MIS2, Urbandale, IA 50398, USA
> +1 515-365-3071 | larry.l.becke at marshpm.com
> www.mmc.com