Discussion:
sftp running in chroot env
(too old to reply)
Steve Szabo
2010-02-11 16:13:59 UTC
Permalink
I've configured sftp to run in a chroot env which seems to work
however I am unable to get syslog to log the sftp activities within
the chroot.


If I connect via sftp to a non-chroot env the daemon will log the
transactions as expected:

i.e.

Feb 11 10:35:20 XXXXXXXXXX sftp-server[11797]: [ID 800047 auth.info]
open "/home/someguy/test/file" flags READ mode 0666



I also need the activities to be logged from within the chroot - can
someone please give me some pointers?



Here is my config running under Solaris 10:




syslog.conf:
auth.debug /var/adm/openssh.log


sshd_config:
SyslogFacility AUTH
LogLevel DEBUG
Subsystem sftp /opt/openssh/libexec/sftp-server -l DEBUG

Match User sample
ChrootDirectory /home/chroot



chroot env:

/home/chroot:

./usr
./usr/sfw
./usr/sfw/lib
./usr/sfw/lib/libcrypto.so.0.9.7
./usr/sfw/lib/libcrypto_extra.so.0.9.7
./usr/bin
./usr/bin/ls
./usr/lib
./usr/lib/nss_files.so.1
./usr/lib/libz.so.1
./usr/lib/ld.so.1

./bin
./bin/bash

./etc
./etc/group
./etc/passwd

./lib
./lib/libsec.so.1
./lib/libc.so.1
./lib/libresolv.so.2
./lib/libmd.so.1
./lib/libmp.so.2
./lib/libdoor.so.1
./lib/libcurses.so.1
./lib/libnsl.so.1
./lib/librt.so.1
./lib/libdl.so.1
./lib/libm.so.2
./lib/libaio.so.1
./lib/libscf.so.1
./lib/libgen.so.1
./lib/libuutil.so.1
./lib/libavl.so.1
./lib/libsocket.so.1

./opt
./opt/openssh
./opt/openssh/libexec
./opt/openssh/libexec/sftp-server
./opt/openssh/bin
./opt/openssh/bin/scp

./home
./home/sample

./dev
./dev/null
./dev/log

./var
./var/adm
./var/adm/openssh.log
--
“it is better to solve the right problem the wrong way than the wrong
problem the right way”
-- Doug McIlroy
Jan Chadima
2010-02-12 12:14:28 UTC
Permalink
Not 100% solution is:
https://bugzilla.mindrot.org/show_bug.cgi?id=1636
the log stop working when the syslog daemon is reloaded :(

JFCh
Post by Steve Szabo
I've configured sftp to run in a chroot env which seems to work
however I am unable to get syslog to log the sftp activities within
the chroot.
If I connect via sftp to a non-chroot env the daemon will log the
i.e.
Feb 11 10:35:20 XXXXXXXXXX sftp-server[11797]: [ID 800047 auth.info]
open "/home/someguy/test/file" flags READ mode 0666
I also need the activities to be logged from within the chroot - can
someone please give me some pointers?
auth.debug /var/adm/openssh.log
SyslogFacility AUTH
LogLevel DEBUG
Subsystem sftp /opt/openssh/libexec/sftp-server -l DEBUG
Match User sample
ChrootDirectory /home/chroot
./usr
./usr/sfw
./usr/sfw/lib
./usr/sfw/lib/libcrypto.so.0.9.7
./usr/sfw/lib/libcrypto_extra.so.0.9.7
./usr/bin
./usr/bin/ls
./usr/lib
./usr/lib/nss_files.so.1
./usr/lib/libz.so.1
./usr/lib/ld.so.1
./bin
./bin/bash
./etc
./etc/group
./etc/passwd
./lib
./lib/libsec.so.1
./lib/libc.so.1
./lib/libresolv.so.2
./lib/libmd.so.1
./lib/libmp.so.2
./lib/libdoor.so.1
./lib/libcurses.so.1
./lib/libnsl.so.1
./lib/librt.so.1
./lib/libdl.so.1
./lib/libm.so.2
./lib/libaio.so.1
./lib/libscf.so.1
./lib/libgen.so.1
./lib/libuutil.so.1
./lib/libavl.so.1
./lib/libsocket.so.1
./opt
./opt/openssh
./opt/openssh/libexec
./opt/openssh/libexec/sftp-server
./opt/openssh/bin
./opt/openssh/bin/scp
./home
./home/sample
./dev
./dev/null
./dev/log
./var
./var/adm
./var/adm/openssh.log
--
“it is better to solve the right problem the wrong way than the wrong
problem the right way”
-- Doug McIlroy
--
JFCh
Steve Szabo
2010-02-12 17:53:09 UTC
Permalink
Using truss I was able to determine that the daemon was looking for
'conslog' and not 'log'

./dev/null
./dev/conslog

sftp now logs to /var/adm/openssh.log

Thanks to all for your suggestions

Cheers

Loading...