openssh-5.0p1: sftp transfer logging doesn't appear to work with chroot environment

john lists.john at gmail.com
Sun May 4 04:59:43 EST 2008 

On Fri, May 2, 2008 at 2:40 PM, Damien Miller <djm at mindrot.org> wrote:
> On Thu, 1 May 2008, john wrote:
>
>  > Hi all,
>  >
>  > I am running Debian Etch. I've compiled openssh-5.0p1 with pam
>  > support. I'd like to use a chrooted sftp environment for my users and
>  > also log their sftp file transfers. Currently file transfer logging
>  > stops working when I implement a jail.  Logging from within the chroot
>  > seems like a useful feature. I hope it makes it in sooner rather than
>  > later.
>
>  Have you tried creating a /dev directory in the chroot and arranging
>  for syslogd to listen on /dev/log there?
>
>  -d
>

No that doesn't seem to work for me.

I think that the problem is that when there is no chroot the
internal-sftp server handles logging but when I define the chroot the
logging and transaction duties are handed back to sshd


Without chroot:

May  2 16:10:27 slocker internal-sftp[8430]: stat name "/home/flyboy2"
May  2 16:10:35 slocker internal-sftp[8430]: open
"/home/flyboy2/z.ico" flags WRITE,CREATE,TRUNCATE mode 0700
May  2 16:10:35 slocker internal-sftp[8430]: close
"/home/flyboy2/z.ico" bytes read 0 written 7110


with chroot:

May  2 16:19:20 slocker sshd[8751]: Accepted keyboard-interactive/pam
for flyboy2 from 10.1.3.233 port 58861 ssh2
May  2 16:19:20 slocker sshd[8751]: (pam_unix) session opened for user
flyboy2 by (uid=0)
May  2 16:19:20 slocker sshd[8754]: Changed root directory to "/home"
May  2 16:19:42 slocker sshd[8751]: (pam_unix) session closed for user flyboy2


sshd doesn't log the sftp transactions happening inside the chroot directory.

I tried to force logging using a Subsystem declaration inside a match
option but thats illegal apparently.

It would be really useful to both jail and log users. For instance we
have placed our students into jails by graduation year and controlled
access using  "MATCH  Group". That works very well. It just breaks
logging which is a must have for this scenario.

Thanks for your replies.

John

More information about the openssh-unix-dev mailing list