On Thu, 20 Oct 2022, Peter Stuge wrote:> Finally, have you tested how this works with internal-sftp? > > I guess many large scale servers don't use internal-sftp because of > logging requirements as discussed in an older thread but I bet that > internal-sftp is desirable especially when scaling up so make sure > to not neglect it. Thanks.I didn't catch the other thread, but internal-sftp logging should work just fine. e.g. with Subsystem sftp internal-sftp -l verbose -f daemon I see: Oct 21 16:46:22 djm internal-sftp[82167]: session opened for local user djm from [10.130.80.1] Oct 21 16:46:22 djm internal-sftp[82167]: received client version 3 Oct 21 16:46:22 djm internal-sftp[82167]: realpath "." Oct 21 16:47:59 djm internal-sftp[82167]: session closed for local user djm from [10.130.80.1] -d
Dear Darren and Damien, Do you like the proposed approach and cmdline option? On Fri, Oct 21, 2022 at 7:50 AM Damien Miller <djm at mindrot.org> wrote:> On Thu, 20 Oct 2022, Peter Stuge wrote: > > > Finally, have you tested how this works with internal-sftp? > > > > I guess many large scale servers don't use internal-sftp because of > > logging requirements as discussed in an older thread but I bet that > > internal-sftp is desirable especially when scaling up so make sure > > to not neglect it. Thanks. > > I didn't catch the other thread, but internal-sftp logging should work > just fine. > > e.g. with > > Subsystem sftp internal-sftp -l verbose -f daemon > > I see: > > Oct 21 16:46:22 djm internal-sftp[82167]: session opened for local user > djm from [10.130.80.1] > Oct 21 16:46:22 djm internal-sftp[82167]: received client version 3 > Oct 21 16:46:22 djm internal-sftp[82167]: realpath "." > Oct 21 16:47:59 djm internal-sftp[82167]: session closed for local user > djm from [10.130.80.1] > > -d > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > >-- Dmitry Belyavskiy
Damien Miller wrote:> > Finally, have you tested how this works with internal-sftp? > > > > I guess many large scale servers don't use internal-sftp because of > > logging requirements as discussed in an older thread but I bet that > > internal-sftp is desirable especially when scaling up so make sure > > to not neglect it. Thanks. > > I didn't catch the other thread, but internal-sftp logging should > work just fine.I failed to mention the chroot condition. There was a long-ish thread on logging from chrooted sftp-server some months ago (last year?). Damien Miller wrote:> I don't think timeouts should be implemented in sftp-server, but in > sshd(8). I have a prototype of a generic channel timeout mechanism at > https://github.com/djmdjm/openssh-wip/pull/16That's a really good general solution, keeping sftp-server simple. Thanks a lot //Peter