Finally following up on the previous article on the subject, I found some time to investigate logging what happens in an internal-sftp session using rsyslog.

Making syslog available in the chroot

Simply create a dev directory in each one of the chosen user chroot directories.

# mkdir /home/user/dev

Configuring rsyslog to probe the new logging source

Simply drop the following contents in /etc/rsyslog.d/sshd.conf :

# Create an additional socket for some of the sshd chrooted users.
$AddUnixListenSocket /var/fileserv/dev/log

# Log internal-sftp in a separate file
:programname, isequal, "internal-sftp" -/var/log/sftp.log
:programname, isequal, "internal-sftp" ~

Configuring openssh for logging

From the previous article, /etc/sshd_config should be changed. The Subsystem sftp line should read :

Subsystem sftp internal-sftp -l VERBOSE

The Match sections should look like the following.

Match group sftponly
         ChrootDirectory /home/%u
         X11Forwarding no
         AllowTcpForwarding no
         ForceCommand internal-sftp -l VERBOSE

Because of a limitation bug in OpenSSH, the ForceCommand line cannot be used with logging parameters on versions earlier than 5.2. But omitting the ForceCommand directive implicitely provides the user shell access in the chrooted directory if he has upload privileges. Therefore, this is in my view a security risk, and that is why I would say that enabling logging in this configuration requires OpenSSH 5.2 or later.

Log rotation for the new log file

Drop the following file in /etc/logrotate.d :

/var/log/sftp.log {
        weekly
        missingok
        rotate 52
        compress
        delaycompress
        postrotate
                invoke-rc.d rsyslog reload > /dev/null
        endscript
}

Any comments on this solution are very welcome.

• 上一篇: 选择美国主机的机房地理位置与网络分析
• 下一篇: schroot – chroot for any users