[Bug 1527] New: ForceCommand internal-sftp needs a way to enable logging

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Sep 24 00:32:17 EST 2008 

https://bugzilla.mindrot.org/show_bug.cgi?id=1527

           Summary: ForceCommand internal-sftp needs a way to enable
                    logging
           Product: Portable OpenSSH
           Version: 5.1p1
          Platform: Itanium2
        OS/Version: HP-UX
            Status: NEW
          Severity: minor
          Priority: P4
         Component: sftp-server
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: ombugr at mayoxide.com


I'm reporting a problem that I've seen a few times by googling, and
there doesn't seem to be a bug report on this yet.

When setting up an SFTP-only server, Damien suggested in the OpenBSD
journal to use a combination of ChrootDirectory and ForceCommand like
this. I've added the sftp subsystem as well since it's required.

Subsystem sftp internal-sftp
ForceCommand internal-sftp
ChrootDirectory /chroot

The previous settings work well as documented.

However, since internal-sftp doesn't do any logging by default, to
enable SFTP logging, this could be used in theory:

Subsystem sftp internal-sftp -l VERBOSE
ForceCommand internal-sftp
ChrootDirectory /chroot

That doesn't log anything either, the SFTP connection works but no
logging is performed. Just for your information, the jailed /dev/log
requirement is met.

Let's try this one:

Subsystem sftp internal-sftp -l VERBOSE
ForceCommand internal-sftp -l VERBOSE
ChrootDirectory /chroot

With these settings, connection is closed immediately by sshd. 

Just to illustrate my point, let's run a debug SFTP session with
ForceCommand commented out:

Subsystem sftp internal-sftp -l VERBOSE
#ForceCommand internal-sftp -l VERBOSE
ChrootDirectory /chroot

This time SFTP works, logs detailed information as expected in the
chrooted /dev/log, and gives me this:

debug1: subsystem: exec() internal-sftp -l VERBOSE
debug1: audit run command euid 0 user ftpitst command 'internal-sftp -l
VERBOSE'

So far so good. But if I put back ForceCommand in place, it closes the
connection immediately and gives me this:

debug1: subsystem: exec() internal-sftp -l VERBOSE
debug1: Forced command (config) 'internal-sftp -l VERBOSE'
debug1: audit run command euid 0 user ftpitst command 'internal-sftp -l
VERBOSE'

I'll be glad to provide more information if necessary.

Thanks

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list