openssh unix dev - Oct 2021 - Howto log multiple sftpd instances with their chroot shared via NFS

Small clarification:

Hildegard Meier wrote:
> ps auxww |grep sftp
> root      4192  0.0  0.1  72304  6512 ?        Ss   11:01   0:00
/usr/sbin/sftpd -D -f /etc/sftpd/sftpd_config
> root      4590  0.2  0.1  74736  6632 ?        Ss   11:05   0:00 sftpd:
sftp_nagios [priv]
> sftp_na+  4592  0.0  0.0  74736  3432 ?        S    11:05   0:00 sftpd:
sftp_nagios at notty
> sftp_na+  4593  0.0  0.0  74736  3108 ?        Ss   11:05   0:00 sftpd:
sftp_nagios at internal-sftp
4192 /usr/sbin/sftpd is likely unrelated to OpenSSH.
I guess that this is a TLS FTP server.
Try  ps fax  to see process relationships.

The "sftpd:" prefix for the sshd processes may be related to SELinux;
nothing in OpenSSH is called sftpd, except the "sftpd_t" SELinux
context.


//Peter

If 'internal-sftp' means that the SFTP server is just a forked child of
sshd, would the 'sshd -e' flag work to send log messages from
internal-sftp to stderr?

If so, it may be worth just sending all logging from sshd to stderr (sowie
[daemontools]).

Someone with time and ingenuity on their hands may even be able to send the
stderr output on to syslog-ng and dispense with any need to filter it or send it
to a file....

If internal-sftp doesn't work that way for ${reasons}, it may be worth
adding that functionality for this sort of use case.

____________________
[daemontools]: https://cr.yp.to/daemontools.html


-- 
jmk
> On Sep 29, 2021, at 19:44, Peter Stuge <peter at stuge.se> wrote:
> 
> ?Small clarification:
> 
> Hildegard Meier wrote:
>> ps auxww |grep sftp
>> root      4192  0.0  0.1  72304  6512 ?        Ss   11:01   0:00
/usr/sbin/sftpd -D -f /etc/sftpd/sftpd_config
>> root      4590  0.2  0.1  74736  6632 ?        Ss   11:05   0:00 sftpd:
sftp_nagios [priv]
>> sftp_na+  4592  0.0  0.0  74736  3432 ?        S    11:05   0:00 sftpd:
sftp_nagios at notty
>> sftp_na+  4593  0.0  0.0  74736  3108 ?        Ss   11:05   0:00 sftpd:
sftp_nagios at internal-sftp
> 
> 4192 /usr/sbin/sftpd is likely unrelated to OpenSSH.
> I guess that this is a TLS FTP server.
> Try  ps fax  to see process relationships.
> 
> The "sftpd:" prefix for the sshd processes may be related to
SELinux;
> nothing in OpenSSH is called sftpd, except the "sftpd_t" SELinux
context.
> 
> 
> //Peter
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

> 4192 /usr/sbin/sftpd is likely unrelated to OpenSSH.
> I guess that this is a TLS FTP server.
> Try  ps fax  to see process relationships.
>
> The "sftpd:" prefix for the sshd processes may be related to
SELinux;
> nothing in OpenSSH is called sftpd, except the "sftpd_t" SELinux
context.
Sorry Peter I should have explained this at once.

To have a clean seperation of the standard sshd service on port 22 and our sftp
server that listens on another port,
and both have and shall have really nothing to do which each other,
I created a new sshd instance named "sftpd":

/usr/sbin/sftpd is a symlink to /usr/sbin/sshd

Copied /etc/ssh/ and /etc/default/ssh to /etc/sftpd/ and /etc/default/sftpd

Copied /lib/systemd/system/ssh.service to /etc/systemd/system/sftpd.service

end replaced in the copy all occurences of regex "sshd?" with sftpd

E.g.

[Service]
EnvironmentFile=-/etc/default/sftpd
ExecStartPre=/usr/sbin/sftpd -t
ExecStart=/usr/sbin/sftpd -D $SFTPD_OPTS -f /etc/sftpd/sftpd_config

Important for correct autostart of sftpd on boot is:
[Unit]
After=network.target auditd.service sshd.service

Because sftpd needs to be started after sshd because only sshd creates
/run/sshd/
and that is needed by sftpd (hard compiled in sshd).

Pitfall:
When stopping sshd /run/sshd/ gets deleted and you get the following sftpd
error:
fatal: Missing privilege separation directory: /run/sshd
and sftpd does not accept new connections anymore etc.


Here ps fax output :)

12981 ?        Ss     0:02 /usr/sbin/sftpd -D -f /etc/sftpd/sftpd_config
18846 ?        Ss     0:00  \_ sftpd: sftp_nagios [priv]
18848 ?        S      0:00      \_ sftpd: sftp_nagios at notty
18849 ?        Ss     0:00          \_ sftpd: sftp_nagios at internal-sftp

Hi Hildgard,

Hildegard Meier wrote:
> > 4192 /usr/sbin/sftpd is likely unrelated to OpenSSH.
> 
> To have a clean seperation of the standard sshd service on port 22
> and our sftp server that listens on another port, and both have and
> shall have really nothing to do which each other, I created a new
> sshd instance named "sftpd":
I understand! This could actually make it much easier to use a local
build for the standalone sftp server. Does the patch idea seem viable?

> [Service]
> EnvironmentFile=-/etc/default/sftpd
> ExecStartPre=/usr/sbin/sftpd -t
> ExecStart=/usr/sbin/sftpd -D $SFTPD_OPTS -f /etc/sftpd/sftpd_config
> 
> Important for correct autostart of sftpd on boot is:
> [Unit]
> After=network.target auditd.service sshd.service
> 
> Because sftpd needs to be started after sshd because only sshd
> creates /run/sshd/ and that is needed by sftpd (hard compiled in sshd).
systemd creates /run/sshd for the sshd.service, it's not great that
the sftpd service needs to use the same path.

A local sshd build allows cleanly solving that as well.


These commands build an OpenSSH-8.8p1 sshd with my sftp-server patch
and the alternate privsep directory:

git clone https://anongit.mindrot.org/openssh.git &&
cd openssh &&
git checkout -b v88_sftplog V_8_8_P1 &&
wget -O 0001-sftplog.patch \
 
https://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210930/9b40e2d4/attachment.bin
&&
git am 0001-sftplog.patch &&
autoreconf -fi -I m4 &&
./configure --prefix=/usr/local/sftpd --with-privsep-path=/run/sftpd &&
make sshd

Thanks to --prefix this sshd will not interfere with anything installed
via package management. Place configuration and keys (or symlinks) in
/usr/local/sftpd/etc/ and remember  PidFile /run/sftpd.pid  in sshd_config.


In any case you can express the current dependency to systemd to avoid
errors:
> When stopping sshd /run/sshd/ gets deleted and you get the
> following sftpd error:
> fatal: Missing privilege separation directory: /run/sshd
> and sftpd does not accept new connections anymore etc.
Set BindsTo=sshd.service in the sftpd.service [Unit] section to
tell systemd that sftpd requires sshd, and should be stopped first
if sshd is being stopped.

Also create a Wants:

mkdir /etc/systemd/system/sshd.service.wants
ln -s ../sftpd.service /etc/systemd/system/sshd.service.wants/

..to tell systemd that it should try to start sftpd when sshd starts.

Keep After=sshd.service in sftpd.service.

With those changes you can stop and start sftpd while sshd continues
running like before, if you stop sshd then sftpd is now stopped first,
and if you start either sshd or sftpd when neither is running then
both are started in the right order.

> Here ps fax output :)
That makes sense now. :)


Kind regards

//Peter

Following up on my own thread.

I was able to get logging from sshd to stderr using 'sshd -e', but it
appears as if internal-sftp does not send messages to stderr (or, at least, to
the same file handle).  With 'LogLevel VERBOSE', sshd emits expected
messages about connection and accepting keys, then:

    User child is on pid 1234
    Starting session: subsystem'sftp' for user1 from 1.2.3.4 port 5678
id 0

It's not until closing the session that we get more:

    Close session: user user1 from 1.2.3.4 port 5678 id 0
    Received disconnect from 1.2.3.4 port 5678:12: disconnected by user
    [...]

As expected, command-line flags in sshd_config for the internal-sftp command
have no effect ('-e -l DEBUG', for example).

I haven't looked at the code to see whether there's an easy path here or
not.  Too bad, it seemed like a reasonable approach -- and could still be, if
someone were to implement a reasonable "log-to-stderr" for internal
sftp.

The only other approach that's seems at all reasonable to me is to add code
and a config twiddle to sshd to send log messages directly to, say, an RFC5425
syslog-over-TLS server at a configurable address and port. That seems like a lot
of code for not so much benefit.

-- 
jmk
> On Sep 29, 2021, at 20:44, Jim Knoble <jmknoble at pobox.com> wrote:
> 
> ?
> If 'internal-sftp' means that the SFTP server is just a forked
child of sshd, would the 'sshd -e' flag work to send log messages from
internal-sftp to stderr?
> 
> If so, it may be worth just sending all logging from sshd to stderr (sowie
[daemontools]).
> 
> Someone with time and ingenuity on their hands may even be able to send the
stderr output on to syslog-ng and dispense with any need to filter it or send it
to a file....
> 
> If internal-sftp doesn't work that way for ${reasons}, it may be worth
adding that functionality for this sort of use case.
> 
> ____________________
> [daemontools]: https://cr.yp.to/daemontools.html
> 
> 
> -- 
> jmk
> 
>>> On Sep 29, 2021, at 19:44, Peter Stuge <peter at stuge.se>
wrote:
>>> 
>> ?Small clarification:
>> 
>> Hildegard Meier wrote:
>>> ps auxww |grep sftp
>>> root      4192  0.0  0.1  72304  6512 ?        Ss   11:01   0:00
/usr/sbin/sftpd -D -f /etc/sftpd/sftpd_config
>>> root      4590  0.2  0.1  74736  6632 ?        Ss   11:05   0:00
sftpd: sftp_nagios [priv]
>>> sftp_na+  4592  0.0  0.0  74736  3432 ?        S    11:05   0:00
sftpd: sftp_nagios at notty
>>> sftp_na+  4593  0.0  0.0  74736  3108 ?        Ss   11:05   0:00
sftpd: sftp_nagios at internal-sftp
>> 
>> 4192 /usr/sbin/sftpd is likely unrelated to OpenSSH.
>> I guess that this is a TLS FTP server.
>> Try  ps fax  to see process relationships.
>> 
>> The "sftpd:" prefix for the sshd processes may be related to
SELinux;
>> nothing in OpenSSH is called sftpd, except the "sftpd_t"
SELinux context.
>> 
>> 
>> //Peter
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev