JPP
2010-Jul-10 18:07 UTC
internal-sftp and logging not working with Fedora and chroot using 5.5?
Hope ya'all can help! Been reading and reading, and adjusting... to no avail. We need to have chroot'd SFTP activities logged on a file server and for whatever reason, I simply cannot get it to log with users that are chroot'd (this is necessary for auditing and HIPAA - so it is pretty important) I have tried with Fedora 11/12 and even an older Fedora 8 server, the same results: 1. We can log ALL activities for users on SFTP when **not** chroot'd 2. As soon as I re-enable chroot'd settings in sshd_config, those users are only logged as far as login is concerned, nothing else. And that goes to the / var/log/secure log and NOT /var/log/messages as it does when they are not chroot'd We are using OpenSSH Portable 5.5p1 freshly compiled. And various Fedora versions from 8, to 11 and 12. Using syslog and rsyslog. Pertinent sshd_config settings: # tried with both lower case and upper case, same (should not matter) Subsystem sftp internal-sftp -f AUTH -l VERBOSE # Example of overriding settings on a per-user basis Match Group sftponly ChrootDirectory %h X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp -f AUTH -l VERBOSE ####>From /etc/rsyslog.conf*.info;mail.none;authpriv.none;cron.none;auth.* /var/log/messages ##### Any suggestions would be helpful and VERY appreciated. Nothing I have touched has changed the way its logging - without chroot logging is perfect, with chroot, logging stops. Have not tried the use of logging sockets - BUT from what I have read, these should not be necessary with the newer OpenSSH 5.x versions and this is the newest one, so did not want to head down that trail (yet). Thank you in Advance... JPP -- FRWS WebMail (http://www.frws.com) Cause you deserve Spam and Virus free email...
Peter Stuge
2010-Jul-10 21:22 UTC
internal-sftp and logging not working with Fedora and chroot using 5.5?
JPP wrote:> I simply cannot get it to log with users that are chroot'd--8<-- sshd_config ChrootDirectory .. The ChrootDirectory must contain the necessary files and directo? ries to support the user's session. For an interactive session this requires at least a shell, typically sh(1), and basic /dev nodes such as null(4), zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices. For file transfer sessions using ?sftp?, no additional configuration of the environment is neces? sary if the in-process sftp server is used, though sessions which use logging do require /dev/log inside the chroot directory (see sftp-server(8) for details). -->8-- //Peter
Seemingly Similar Threads
- OpenSSH + chroot + SELinux = broke
- [Bridge] Building 1.1 ?
- Omission in sshd_config man page
- [Bug 2289] New: arandom(4) as documented in sshd_config(5)’s ChrootDirectory option does not exist on all platforms
- [Bug 2036] New: Add %g user group name parameter for ChrootDirectory