> On 05/09/2016 06:10 PM, John wrote:> >> I'd like to have sshd write entries into the systemd journal logging > sftp transfers. From googling, it seems that one needs to edit > /etc/ssh/sshd_config adding this line: >> >> Subsystem sftp /usr/lib/ssh/sftp-server -f AUTH -l VERBOSE >> >> >> I can transfer files via filezilla (sftp) but I don't get anything in > `journalctl -u sshd` that shows these transfers, just a few lines showing I > connected. What am I doing wrong? I am using version 7.2p2 on Arch Linux. > Thanks in advance! > These logs are logged under different "user" than sshd. It should be > logged under "sftp-server" process name. It certainly works on > Fedora/RHEL, unless: > > * you are in chroot -- this requires a bit different approach > * your user is blocked from opening or writing to /dev/log or however > is syslog configured to accept logs > > Note, that using above settings logs under the user logging in and not > under root so you need appropriate access.Thank you for the reply. Indeed, I see entries for the entries in my journalctl output under 'sftp-server' if I transfer a file from a normal user on my system. I also setup a chroot-jail but as you mentioned, no logs are written for these. What is the different approach I need to use? To help, here is the relevant section of my sshd_config: Match group sshusers ChrootDirectory %h X11Forwarding no AllowTcpForwarding no PasswordAuthentication yes ForceCommand internal-sftp
On 05/10/2016 12:57 PM, John wrote:> Thank you for the reply. Indeed, I see entries for the entries in my journalctl output under 'sftp-server' if I transfer a file from a normal user on my system. I also setup a chroot-jail but as you mentioned, no logs are written for these. What is the different approach I need to use?There are two possibilities. Either you set up logging socket in chroot and set up syslog/journal to receive message from it, or there is some possibility to log over the socket opened by the parent (before going into chroot), which is a bit hacky solution (and not upstream for some reason). We have got the patch in our git [1], but there will probably be some bug in upstream bugzilla. [1] http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-6.6.1p1-log-in-chroot.patch Regards, -- Jakub Jelen Associate Software Engineer Security Technologies Red Hat
> There are two possibilities. Either you set up logging socket in chroot > and set up syslog/journal to receive message from it, or there is some > possibility to log over the socket opened by the parent (before going > into chroot), which is a bit hacky solution (and not upstream for some > reason). We have got the patch in our git [1], but there will probably > be some bug in upstream bugzilla. > > > [1] > http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-6.6.1p1-log-in-chroot.patch > > Regards,Thanks for the reply, Jakub. The patch you pointed me to does not apply to the current release of openssh unfortunately (v7.2p2). Do you have a more contemporary version of the patch I can try? I can google around for a logging socket... I assume this can be implemented without the patch you referenced and on the current version 7.2p2?