sftp-server logging with chroot in OpenBSD?

Sun, 27 Mar 2011 07:46:37 -0700 

sftp-server logging with chroot in OpenBSD?

I want to log upload/download information in sftp server

test two user "root" and a chroot user "share"

1. add a sftp only user share
/etc/passwd file
root:*:0:0:Charlie &:/root:/bin/ksh
...
share:*:1000:1000:share:/home/share:/sbin/nologin

set some Permissions
# chown root:wheel  /home/share
# clear all the files in /home/share
# mkdir /home/share/upload
# chown share /home/share/upload   # let user "share" upload files


2. vi /etc/ssh/sshd_config
# override default of no subsystems
Subsystem       sftp    /usr/libexec/sftp-server -l INFO

# Example of overriding settings on a per-user basis
Match User share
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp
        ChrootDirectory /home/share/


3. now test user "root" upload and download, /var/log/authlog seems good
client : filezilla in Window system , server OpenBSD

Mar 27 21:05:58 49 sshd[12130]: Accepted password for root from
10.0.0.88 port 52624 ssh2
Mar 27 21:05:58 49 sshd[12130]: subsystem request for sftp by user root
Mar 27 21:05:58 49 sftp-server[9419]: session opened for local user
root from [10.0.0.88]
Mar 27 21:05:58 49 sftp-server[9419]: opendir "/root"
Mar 27 21:05:58 49 sftp-server[9419]: closedir "/root"
Mar 27 21:05:59 49 sftp-server[9419]: opendir "/"
Mar 27 21:05:59 49 sftp-server[9419]: closedir "/"
Mar 27 21:05:59 49 sftp-server[9419]: opendir "/"
Mar 27 21:05:59 49 sftp-server[9419]: closedir "/"
Mar 27 21:06:01 49 sftp-server[9419]: opendir "/home"
Mar 27 21:06:01 49 sftp-server[9419]: closedir "/home"
Mar 27 21:06:01 49 sftp-server[9419]: opendir "/home"
Mar 27 21:06:01 49 sftp-server[9419]: closedir "/home"
Mar 27 21:06:02 49 sftp-server[9419]: opendir "/home/share"
Mar 27 21:06:02 49 sftp-server[9419]: closedir "/home/share"
Mar 27 21:06:02 49 sftp-server[9419]: opendir "/home/share"
Mar 27 21:06:02 49 sftp-server[9419]: closedir "/home/share"
Mar 27 21:06:04 49 sshd[10714]: Accepted password for root from
10.0.0.88 port 52625 ssh2
Mar 27 21:06:04 49 sshd[10714]: subsystem request for sftp by user root
Mar 27 21:06:04 49 sftp-server[16632]: session opened for local user
root from [10.0.0.88]
Mar 27 21:06:04 49 sftp-server[16632]: opendir "/home/share"
Mar 27 21:06:04 49 sftp-server[16632]: closedir "/home/share"
Mar 27 21:06:04 49 sftp-server[16632]: open "/home/share/New Text
Document.txt" flags WRITE,CREATE,TRUNCATE mode 0666
Mar 27 21:06:04 49 sftp-server[16632]: close "/home/share/New Text
Document.txt" bytes read 0 written 4
Mar 27 21:06:04 49 sftp-server[16632]: opendir "/home/share"
Mar 27 21:06:04 49 sftp-server[16632]: closedir "/home/share"
Mar 27 21:06:08 49 sftp-server[16632]: open
"/home/share/\M-f\\226\M-0\M-f\\226\\207\M-d\M-;\M-6.txt" flags
WRITE,CREATE,TRUNCATE mode 0666
Mar 27 21:06:08 49 sftp-server[16632]: close
"/home/share/\M-f\\226\M-0\M-f\\226\\207\M-d\M-;\M-6.txt" bytes read 0
written 14
Mar 27 21:06:08 49 sftp-server[16632]: opendir "/home/share"
Mar 27 21:06:08 49 sftp-server[16632]: closedir "/home/share"
Mar 27 21:07:08 49 sftp-server[16632]: session closed for local user
root from [10.0.0.88]
Mar 27 21:08:25 49 sftp-server[9419]: session closed for local user
root from [10.0.0.88]
Mar 27 21:08:33 49 sshd[10543]: Accepted password for share from
10.0.0.88 port 52626 ssh2
Mar 27 21:09:11 49 sshd[27201]: Accepted password for share from
10.0.0.88 port 52627 ssh2

see, user "share" upload some files to the /home/share/upload
directory, but nothing logging in /var/log/authlog except  "Accepted
password for share "


4. http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8
     For logging to work, sftp-server must be able to access /dev/log.  Use of
     sftp-server in a chroot configuration therefore requires that syslogd(8)
     establish a logging socket inside the chroot directory.

5. /etc/rc.conf.local
+syslogd_flags="-a /home/share/dev/log"
mkdir /home/share/dev
touch /home/share/dev/log
reboot OpenBSD system

6. continue to test user "share", still can't log user "share"
upload/download information in /var/log/authlog, except
Mar 27 21:26:55 49 sshd[15017]: Accepted password for share from
10.0.0.88 port 52677 ssh2
Mar 27 21:26:55 49 sshd[29865]: subsystem request for sftp by user share
Mar 27 21:27:43 49 sshd[6434]: Accepted password for share from
10.0.0.88 port 52678 ssh2
Mar 27 21:27:43 49 sshd[16086]: subsystem request for sftp by user share
Mar 27 21:34:53 49 sshd[11288]: Accepted password for share from
10.0.0.88 port 52724 ssh2
Mar 27 21:34:53 49 sshd[24985]: subsystem request for sftp by user share
Mar 27 21:35:57 49 sshd[28148]: Accepted password for share from
10.0.0.88 port 52726 ssh2
Mar 27 21:35:57 49 sshd[1913]: subsystem request for sftp by user share
Mar 27 21:35:57 49 sshd[25204]: Accepted password for share from
10.0.0.88 port 52727 ssh2
Mar 27 21:35:57 49 sshd[7689]: subsystem request for sftp by user share


BTW, how to separate sftp logging information to independent file e.g.
 /var/log/sftplog?

Reply via email to