Fred Kilbourn
2008-Jun-20 00:47 UTC
ForceCommand internal-sftp causes sftp logging to fail (openssh-5.0p1)
Hi guys, I have a server setup with openssh-5.0p1 and use some users as sftp-only chroot accounts. The following configuration yields exactly the result I want: user is chrooted, logs to syslog, all is good. #================================================# Subsystem sftp internal-sftp -f AUTHPRIV -l VERBOSE Match User fredwww ChrootDirectory %h #ForceCommand internal-sftp #================================================# If I un-comment ForceCommand internal-sftp, syslog no longer logs activity from internal-sftp. I have the <CHROOT_DIR>/dev/log setup with my syslog, and as I said, without ForceCommand it works fine. I looked through the source, but am not super c savvy so I could not see why this would cause a problem, but I think it has to do with the -f -l arguments not getting through properly to sftp-server. I would be happy to provide more information to get this sorted, let me know what you need or if I am missing something blatant please. Thank you, Fred Kilbourn
Fred Kilbourn
2008-Jun-27 03:27 UTC
ForceCommand internal-sftp causes sftp logging to fail (openssh-5.0p1)
Larry, I tried this: ForceCommand internal-sftp -f AUTHPRIV -l VERBOSE But when I add either -f or -l flag, the connection is dropped by the server as soon as I authenticate. Should I be quoting the arguments in some way on the ForceCommand line? Or is there another way to pass these parameters along? Or, is this something that openssh is not handling correctly? The following clip from a full debug test session: debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request subsystem reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req subsystem subsystem request for sftp debug1: subsystem: exec() internal-sftp -f AUTHPRIV -l INFO debug1: Forced command (config) 'internal-sftp -f AUTHPRIV -l INFO' debug2: fd 3 setting TCP_NODELAY debug2: fd 9 setting O_NONBLOCK debug3: fd 9 is O_NONBLOCK debug2: notify_done: reading debug1: Received SIGCHLD. debug1: session_by_pid: pid 2652 debug1: session_exit_message: session 0 channel 0 pid 2652 debug2: channel 0: request exit-status confirm 0 debug1: session_exit_message: release channel 0 Thanks, Fred Kilbourn Kilbourn Consulting, LLC www.kilbournconsulting.com 231-392-3752 fred at fredk.com> -----Original Message----- > From: larry.l.becke at marshpm.com [mailto:larry.l.becke at marshpm.com] > Sent: Wednesday, June 25, 2008 11:08 AM > To: Fred Kilbourn > Subject: ForceCommand internal-sftp causes sftp logging to fail > (openssh-5.0p1) > > > #================================================# > Subsystem sftp internal-sftp -f AUTHPRIV -l VERBOSE > > Match User fredwww > ChrootDirectory %h > #ForceCommand internal-sftp -f AUTHPRIV -l VERBOSE > #================================================# > > Modify the ForceCommand to use the same parameters as the Subsystem > call.... > > You are overriding the Subsystem call with the forcecommand, so you > must > add the parms there as well. > > > > Larry Becke, Sr. Technical Analyst > MMC Global Technology Infrastructure | Centralized Operations > 12421 Meredith Drive, MIS2, Urbandale, IA 50398, USA > +1 515-365-3071 | larry.l.becke at marshpm.com > www.mmc.com