Jochen Bern
2021-Sep-29 10:46 UTC
Aw: Re: Howto log multiple sftpd instances with their chroot shared via NFS
On 29.09.21 11:18, Hildegard Meier wrote:> Jochen, are you sure that you see the real sftp user session detailed activity log, e.g. > > internal-sftp[27918]: session opened for local user <username> from [1.2.3.4] > internal-sftp[27918]: open "/in/file.dat" flags WRITE,CREATE,TRUNCATE mode 0666 > > etc. and not just the sshd auth log, e.g. > > sftpd[4772]: Accepted publickey for <username> from 1.2.3.4 port 45504 ssh2Considering that I'm the one who gets to debug both customers' connectivity *and* concurrent-file-operations problems, I'm *quite* sure of that. :-)> sshd[27049]: Accepted publickey for [REDACTED] from [REDACTED] port 54343 ssh2: RSA SHA256:[REDACTED] > sshd[27049]: pam_unix(sshd:session): session opened for user [REDACTED] by (uid=0) > sshd[27049]: session opened for local user [REDACTED] from [REDACTED] [postauth] > sshd[27049]: sent status No such file [postauth] > sshd[27049]: sent status No such file [postauth] > sshd[27049]: open "[REDACTED]" flags WRITE,CREATE,TRUNCATE mode 0666 [postauth] > sshd[27049]: close "[REDACTED]" bytes read 0 written 5870358 [postauth] > sshd[27049]: session closed for local user [REDACTED] from [REDACTED] [postauth] > sshd[27049]: pam_unix(sshd:session): session closed for user [REDACTED]- all from today's /var/log/messages .> I wonder if it would be a bug or a feature if you can manage to get sftp > session logging without /dev/log in the sftp user's chroot dir?I'm in the dark whether that behavior is *intended* (and if so, by whom exactly), hence my reluctance to openly recommend my setup to others ...> What CentOS and OpenSSH version do you have exactly?Current CentOS 7 with its genuine OpenSSH package (openssh-7.4p1-21.el7.x86_64).> Do you have special starting options?Various hardened settings, but the only ones I'd *expect* to affect *logging* in *any* way would be:> SyslogFacility AUTHPRIV > UsePAM yes # That's why there's messages from PAM in the log above > UsePrivilegeSeparation sandbox > Subsystem sftp internal-sftp > Match group mandanten > PermitTTY no > ForceCommand internal-sftp -l INFO -u 0077>> If a newly-started syslogd on server A does >> indeed REMOVE AND RECREATE the /dev/log sockets, > > If /dev dir under sftp user's chroot dir exists but there is no "log" file in it, it gets created by syslog-ng. > It is never removed afterwards.If a .../dev/log is created within the .../dev/ directory *on the NFS share*, and never removed, that means that all the .../dev/log's there are were created *ONCE* by whichever syslogd got restarted *first* after the user was created, correct? But still only the syslogd restarted *last*, no matter whether on the same server or the other, gets that user's log messages? I'm getting a murder mystery vibe here ... Regards, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3449 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210929/1eb6b4ff/attachment-0001.p7s>
Hildegard Meier
2021-Sep-29 11:27 UTC
Aw: Re: Re: Howto log multiple sftpd instances with their chroot shared via NFS
Thanks Jochen,> > sshd[27049]: Accepted publickey for [REDACTED] from [REDACTED] port 54343 ssh2: RSA SHA256:[REDACTED] > > sshd[27049]: pam_unix(sshd:session): session opened for user [REDACTED] by (uid=0) > > sshd[27049]: session opened for local user [REDACTED] from [REDACTED] [postauth] > > sshd[27049]: sent status No such file [postauth] > > sshd[27049]: sent status No such file [postauth] > > sshd[27049]: open "[REDACTED]" flags WRITE,CREATE,TRUNCATE mode 0666 [postauth] > > sshd[27049]: close "[REDACTED]" bytes read 0 written 5870358 [postauth] > > sshd[27049]: session closed for local user [REDACTED] from [REDACTED] [postauth] > > sshd[27049]: pam_unix(sshd:session): session closed for user [REDACTED]Have all sftp log messages from today the prefix sshd[27049]? No other PIDs logged? I guess PID 27049 is the PID of the main sftpd(sshs) process?> > SyslogFacility AUTHPRIV > > UsePAM yes # That's why there's messages from PAM in the log above > > UsePrivilegeSeparation sandbox > > Subsystem sftp internal-sftp > > Match group mandanten > > PermitTTY no > > ForceCommand internal-sftp -l INFO -u 0077 >Sorry for this question, but just to be sure because you neither posted this here nor in your other post https://lists.mindrot.org/pipermail/openssh-unix-dev/2021-September/039673.html where you post the output of "egrep '^[^#]*( mand|sftp)' /etc/ssh/sshd_config" You have "ChrootDirectory" set in sshd_config, right? E.g. I have set ChrootDirectory %h> If a .../dev/log is created within the .../dev/ directory *on the NFS > share*, and never removed, that means that all the .../dev/log's there > are were created *ONCE* by whichever syslogd got restarted *first* after > the user was created, correct? But still only the syslogd restarted > *last*, no matter whether on the same server or the other, gets that > user's log messages?That's correct