I have a somewhat busy sftp server where the users are all chrooted into their home directory. In order to log all the commands they enter, I have to create a /dev/log entry and hard link in their home directory so that syslog works for their commands Match user * ForceCommand internal-sftp -f local1 -l verbose Everything works, but its a bit of a pain if someone restarts syslogd and forgets to recreate the hardlinks (needed on FreeBSD anyways). Are there any alternatives to this method ? Are there any patches thoughts for supplementary logging of some sort of sshd that can work around these logging constraints ? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike at sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
Mike Tancsa wrote:> Are there any alternatives to this method ? Are there any patches > thoughts for supplementary logging of some sort of sshd that can work > around these logging constraints ?openlog() doesn't return an fd, but keeps the syslog connection internal. You could rewrite do_log() to not use openlog() but access /dev/syslog directly, then sshd could pass the fd to child processes. It wouldn't scale beyond OpenSSH though - ie. only for sftp, not for external subsystems. But maybe you can achieve a nicer shortcut for the internal-sftp case! //Peter
Hi Mike, Mike Tancsa wrote on Mon, Jul 24, 2017 at 11:55:54AM -0400:> I have a somewhat busy sftp server where the users are all > chrooted into their home directory. In order to log all the > commands they enter, I have to create a /dev/log entry and > hard link in their home directory so that syslog worksUse OpenBSD. The standard syslog(3) function is implemented in terms of the sendsyslog(2) system call, such that logging just always works in any environment and you never need logging sockets. That solution was specifically designed to solve your problem. http://man.openbsd.org/sendsyslog.2 Yours, Ingo
On Mon, 24 Jul 2017, Mike Tancsa wrote:> I have a somewhat busy sftp server where the users are all chrooted into > their home directory. In order to log all the commands they enter, I > have to create a /dev/log entry and hard link in their home directory so > that syslog works for their commands > > Match user * > ForceCommand internal-sftp -f local1 -l verbose > > Everything works, but its a bit of a pain if someone restarts syslogd > and forgets to recreate the hardlinks (needed on FreeBSD anyways).Is it not possible to arrange FreeBSD's syslog to listen on multiple sockets by default? -d
On Mon, 24 Jul 2017, Peter Stuge wrote:> Mike Tancsa wrote: > > Are there any alternatives to this method ? Are there any patches > > thoughts for supplementary logging of some sort of sshd that can work > > around these logging constraints ? > > openlog() doesn't return an fd, but keeps the syslog connection internal. > > You could rewrite do_log() to not use openlog() but access /dev/syslog > directly, then sshd could pass the fd to child processes. It wouldn't > scale beyond OpenSSH though - ie. only for sftp, not for external > subsystems.There's a patch on bugzilla to make the post-auth sshd monitor handle logging as it does during the pre-auth phase. I'm undecided about it so far. I wish other operating systems would copy OpenBSD's sendsyslog() - it makes life considerably simpler for privilege-separated and sandboxed applications. On linux you could probably do it with a well-known Unix domain syslog listener in the abstract socket namespace, e.g. "@syslog" -d
On Mon, Jul 24, 2017 at 11:55 AM, Mike Tancsa <mike at sentex.net> wrote:> I have a somewhat busy sftp server where the users are all chrooted into > their home directory. In order to log all the commands they enter, I > have to create a /dev/log entry and hard link in their home directory so > that syslog works for their commands > > Match user * > ForceCommand internal-sftp -f local1 -l verbose > > Everything works, but its a bit of a pain if someone restarts syslogd > and forgets to recreate the hardlinks (needed on FreeBSD anyways). > > Are there any alternatives to this method ? Are there any patches > thoughts for supplementary logging of some sort of sshd that can work > around these logging constraints ? > > ---MikeWhy are the targets of the hardlinks evaporating on rebooting? Is that a FreeBSD'ism?
On 7/24/2017 5:58 PM, Ingo Schwarze wrote:> > Use OpenBSD. The standard syslog(3) function is implementedThanks, but a number of FreeBSD features make that prohibitive for this particular project for us. ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike at sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
On 7/24/2017 8:21 PM, Damien Miller wrote:> > Is it not possible to arrange FreeBSD's syslog to listen on multiple > sockets by default?It is, but not sure which is worse. A few thousand sockets or a few thousand hard links ? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike at sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
On 7/24/2017 8:39 PM, Nico Kadel-Garcia wrote:> > Why are the targets of the hardlinks evaporating on rebooting? Is that > a FreeBSD'ism?Its when syslogd stops/starts. The hardlinks need to be recreated for some reason. ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike at sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/