Are there plans to expand the logging capabilities in OpenSSH, so that the details of what files were moved using sftp is included? If not, does anyone know of a good way to capture this information? Thanks in advance, - Sue Susan K. Diller UNIX Systems Administration PAETEC Communications, Inc. 600 WillowBrook Office Park Fairport, New York 14450 *(585) 413-2320 * susan.diller at paetec.com<mailto:susan.diller at paetec.com>
On Fri, 16 Apr 2010, Diller, Susan (Sue) wrote:> Are there plans to expand the logging capabilities in OpenSSH, so that > the details of what files were moved using sftp is included? If not, > does anyone know of a good way to capture this information?sftp-server has supported this for a while. Try specifying: Subsystem sftp /usr/libexec/sftp-server -l VERBOSE in sshd_config (you might need a different path to sftp-server). -d
Lars - 5.5 does not seem to be available, yet. I am running OpenSSH_5.4p1.
Damien - The xferlog was from an ftp session. I was just using it to show that
ftp can tell me the file which was transferred.
I moved the sftp log under the chroot /dev area. It still logs
everything, except the file name.
I understand that the filename and directory information will be coming across
the network encrypted. But, there must be a way the server can figure out what
file was transferred. It knows the PID of the connecting process. Does the
logfile need to be writable by the accounts doing the transfers?
- Sue
-----Original Message-----
From: Lars Nooden [mailto:lars.curator at gmail.com]
Sent: Wednesday, April 21, 2010 4:48 AM
To: Damien Miller
Cc: Diller, Susan (Sue); openssh-unix-dev at mindrot.org
Subject: RE: logging details
On Wed, 21 Apr 2010, Damien Miller wrote:> Also, if you are using ChrootDirectory, you might need to arrange
> syslog to listen inside your chroot at (relative) /dev/log
That burden seems to have been removed starting with OpenSSH 5.5, and the
following does logging with the specified log level and faclity code without
needing a socket in the chroot:
ChrootDirectory /altroot/foo/
Subsystem sftp internal-sftp -f LOCAL0 -l VERBOSE
ForceCommand internal-sftp
/Lars
I am back to my original question. Are there plans to improve the logging so that it reports which file was transferred ? I can get lots of information in the log, but not what I need. - Sue Susan K. Diller UNIX Systems Administration PAETEC Communications, Inc. 600 WillowBrook Office Park Fairport, New York 14450 (585) 413-2320 * susan.diller at paetec.com
On Fri, 23 Apr 2010, Diller, Susan (Sue) wrote:> ... Are there plans to improve the logging so that it reports which > file was transferred ? I can get lots of information in the log, but > not what I need.Currently, looking at OpenSSH_5.5, OpenSSL 0.9.8k from 25 Mar 2009, setting the log level to VERBOSE will show the file transfered. Here is one way to get that level of detail: Subsystem sftp internal-sftp -f LOCAL0 -l VERBOSE The ForceCommand directive must also have log facility and log level set explicitly if it is used: ForceCommnand internal-sftp -f LOCAL0 -l VERBOSE Regards /Lars Apr 24 16:22:00 yeeloong sshd[11426]: Accepted password for foobar from foo.example.org port 45334 ssh2 Apr 24 16:22:00 yeeloong sshd[12866]: subsystem request for sftp Apr 24 16:22:00 yeeloong internal-sftp[19013]: session opened for local user foobar from [foo.example.org] Apr 24 16:22:00 yeeloong internal-sftp[19013]: received client version 3 Apr 24 16:22:00 yeeloong internal-sftp[19013]: realpath "." Apr 24 16:22:02 yeeloong internal-sftp[19013]: lstat name "/home/foobar/xx" Apr 24 16:22:02 yeeloong internal-sftp[19013]: stat name "/home/foobar/xx" Apr 24 16:22:02 yeeloong internal-sftp[19013]: open "/home/foobar/xx" flags READ mode 0666 Apr 24 16:22:02 yeeloong internal-sftp[19013]: close "/home/foobar/xx" bytes read 30 written 0