Blacklisting/whitelisting sftp-server commands

Jochen Bern Jochen.Bern at binect.de
Sat Sep 4 00:33:36 AEST 2021 

On 03.09.21 01:05, Travis Hayes wrote:
> I am concerned about the
> following note in the man page: 'For file transfer sessions using ''sftp'',
> no additional configuration of the environment is necessary if the
> in-process sftp server is used, *though sessions which use logging do
> require **/dev/log inside the chroot directory'*
> 
> As I haven't created a /dev/log socket in the directory, I am concerned
> that there is logging information I will wish I had.

Note that providing a large number of chroots with /dev/log scales very
poorly, because you'll need to configure your syslogd(-variant) to
access and read every single one of them.

On our SFTP server - which happens to be CentOS 7 as well -, I provide
stub /etc/passwd and /etc/group (just so that directory listings will
not show bare UIDs/GIDs), an empty /dev , a /README text file for a
welcome(*), a writable subdir for the uploads, and told the sshd to
(among other things):

SyslogFacility AUTHPRIV
Subsystem sftp internal-sftp
Match group mandanten
        ForceCommand internal-sftp -l INFO -u 0077
        Banner /home/chroot/README
        AuthorizedKeysCommand [...] (**)
        AuthorizedKeysCommandUser [...]

- and nonetheless get to see all the open's and close's recorded in
/var/log/secure .

(*)  Individual /READMEs get refreshed in regular intervals, by
     appending the respective user's current disk quota status to the
     global /home/chroot/README . I make a point of having a Banner
     right from square one so that automated clients will not enter
     production unless they've been taught to deal with the extra
     noise.
(**) Using the AuthorizedKeysCommand system allows me to keep the
     management of pubkeys a) in our hands and b) out of the chroots.
     Both are our policy choices; YMMV.

Regards,
-- 
Jochen Bern
Systemingenieur

T  +49 6151 9067-231
F  +49 6151 9067-290
E  jochen.bern at binect.de
W  www.binect.de


Binect GmbH
Robert-Koch-Str. 9
64331 Weiterstadt

Geschäftspost.Einfach.Digital.
Wir sind nach ISO/IEC 27001:2013 und 9001:2015 zertifiziert.
BMWi fördert digitale Lösungen für KMU.

Geschäftsführung: Dr. Frank Wermeyer, Michael Imiolczyk
Unternehmenssitz: Weiterstadt
Register: Amtsgericht Darmstadt, HRB 94685
Umsatzsteuer-ID: DE 221 302 264

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210903/a1a10aa6/attachment.p7s>

More information about the openssh-unix-dev mailing list