sftp logging
I can't seem to get logging for sftp working. OpenBSD 4.3 Here is the line from my sshd_config Subsystem sftp/usr/libexec/sftp-server -f LOCAL7 -l DEBUG Here is the line from syslog.conf local7.*/var/log/local7.log I went as far as rebooting the server to make sure the config files were read. Nothing is being written to /var/log/local7.log. I tried creating a local7.log in case syslog wasn't able to create it (read that somewhere in my searching for an answer, sounds hokey to me, but did it anyway) but that didn't help. Google gave me a haystack to search through but found confirmation of my config on a OS X support site but who knows if that is valid for OpenBSD. If anyone has a cluestick, please hit me with it. Stuart van Zee [EMAIL PROTECTED]
Re: sftp logging using chroot internal-sftp in -current
Damien, Thanks for the pointer. I believe the environment is now setup correctly, but I can not get DEBUG3 messages to appear from internal-sftp in authlog. I setup the log device file /ftp_jail/dev/log... [EMAIL PROTECTED]: ls -la /ftp_jail/dev/log srw-rw-rw- 1 root ftp 0 Mar 13 14:31 /ftp_jail/dev/log ...and syslogd points to /ftp_jail/dev/log syslogd -a /ftp_jail/dev/log -a /var/empty/dev/log When I sftp from 192.168.2.2 to the sftp server test0 I now get a line I did not see before, subsystem request for sftp. As far as I can tell the log device is working correctly. This is the log of a sftp connection. As a test I switched directory, downloaded a test file and then disconnected. As you can see there is no mention in the logs. Mar 13 16:23:12 test0 sshd[24079]: Server listening on 0.0.0.0 port 22. Mar 13 16:23:25 test0 sshd[26118]: Connection from 192.168.2.2 port 48518 Mar 13 16:23:26 test0 sshd[26118]: Failed none for ftp from 192.168.2.2 port 48518 ssh2 Mar 13 16:23:26 test0 sshd[26118]: Failed publickey for ftp from 192.168.2.2 port 48518 ssh2 Mar 13 16:23:28 test0 sshd[26118]: Accepted password for ftp from 192.168.2.2 port 48518 ssh2 Mar 13 16:23:28 test0 sshd[10427]: Changed root directory to /ftp_jail Mar 13 16:23:28 test0 sshd[10427]: subsystem request for sftp Mar 13 16:23:44 test0 sshd[10427]: Connection closed by 192.168.2.2 Mar 13 16:23:44 test0 sshd[10427]: Closing connection to 192.168.2.2 This is my /etc/ssh/sshd_config if you can see anything wrong with it. I tried adding ForceCommand internal-sftp -l DEBUG3 but this caused sshd to error. I appreciate the assistance. http://calomel.org/sftp_chroot.html ## /etc/ssh/sshd_config AllowTcpForwarding no ClientAliveCountMax 3 ClientAliveInterval 0 Compression delayed LoginGraceTime 60s LogLevel DEBUG3 MaxAuthTries 6 PasswordAuthentication yes PermitEmptyPasswords no PermitRootLogin no PermitTunnel no PermitUserEnvironment no Port 22 Protocol 2 StrictModes yes SyslogFacility AUTH TCPKeepAlive yes UseDNS no UsePrivilegeSeparation yes X11Forwarding no ## sftp directives Subsystem sftp internal-sftp -f AUTH -l DEBUG3 Match User ftp ForceCommand internal-sftp ChrootDirectory /ftp_jail http://calomel.org/sftp_chroot.html -- Calomel @ http://calomel.org Open Source Research and Reference On Thu, Mar 13, 2008 at 12:32:04PM +1100, Damien Miller wrote: On Wed, 12 Mar 2008, Calomel wrote: Is it possible to enable DEBUG logging for internal-sftp in sshd? Using -current (Mar 12, 2008) and enabling a chroot'd sftp server we can get sshd to log initial connections. But, we would also like to log sftp activity like uploads, downloads, and directory changes similar to what vsftpd does. The older sftp-server man page had a log facility (-f) and log level (-l) options, but those arguments might not have been carried over to internal-sftp. Perhaps the chroot environment keeps us from logging internal-sftp? Yes. You should be able to have syslogd(8) listen on /dev/log inside the chroot to make messages from the internal sftp-server visible. -d
sftp logging using chroot internal-sftp in -current
Is it possible to enable DEBUG logging for internal-sftp in sshd? Using -current (Mar 12, 2008) and enabling a chroot'd sftp server we can get sshd to log initial connections. But, we would also like to log sftp activity like uploads, downloads, and directory changes similar to what vsftpd does. The older sftp-server man page had a log facility (-f) and log level (-l) options, but those arguments might not have been carried over to internal-sftp. Perhaps the chroot environment keeps us from logging internal-sftp? Any help is appreciated. Thanks for your time. http://calomel.org/sftp_chroot.html ## /etc/ssh/sshd_config AllowTcpForwarding no ClientAliveCountMax 3 ClientAliveInterval 0 Compression delayed LoginGraceTime 60s LogLevel DEBUG3 MaxAuthTries 6 PasswordAuthentication yes PermitEmptyPasswords no PermitRootLogin no PermitTunnel no PermitUserEnvironment no Port 22 Protocol 2 StrictModes yes SyslogFacility AUTH TCPKeepAlive yes UseDNS no UsePrivilegeSeparation yes X11Forwarding no ## sftp directives Subsystem sftp internal-sftp Match User ftp ForceCommand internal-sftp ChrootDirectory /ftp_jail http://calomel.org/sftp_chroot.html -- Calomel @ http://calomel.org Open Source Research and Reference
Re: sftp logging using chroot internal-sftp in -current
On Wed, 12 Mar 2008, Calomel wrote: Is it possible to enable DEBUG logging for internal-sftp in sshd? Using -current (Mar 12, 2008) and enabling a chroot'd sftp server we can get sshd to log initial connections. But, we would also like to log sftp activity like uploads, downloads, and directory changes similar to what vsftpd does. The older sftp-server man page had a log facility (-f) and log level (-l) options, but those arguments might not have been carried over to internal-sftp. Perhaps the chroot environment keeps us from logging internal-sftp? Yes. You should be able to have syslogd(8) listen on /dev/log inside the chroot to make messages from the internal sftp-server visible. -d
SFTP logging
Hi, There's a very nice file in /var/log called xferlog, which logs all the ftp connections and files that go in and out of my machine. Very handy. Is there a similar setup available for sftp? Is there a config directive I can tweak in sshd_config or other file? Can it be extended to scp as well? Gaby -- Junkets for bunterish lickspittles since 1998! http://www.playr.co.uk/sudoku/ http://weblog.vanhegan.net/