Aw: Re: Howto log multiple sftpd instances with their chroot shared via NFS

Jochen Bern Jochen.Bern at
Wed Sep 29 20:46:40 AEST 2021

On 29.09.21 11:18, Hildegard Meier wrote:
> Jochen, are you sure that you see the real sftp user session detailed activity log, e.g.
> internal-sftp[27918]: session opened for local user <username> from []
> internal-sftp[27918]: open "/in/file.dat" flags WRITE,CREATE,TRUNCATE mode 0666
> etc. and not just the sshd auth log, e.g.
> sftpd[4772]: Accepted publickey for <username> from port 45504 ssh2

Considering that I'm the one who gets to debug both customers' 
connectivity *and* concurrent-file-operations problems, I'm *quite* sure 
of that. :-)

> sshd[27049]: Accepted publickey for [REDACTED] from [REDACTED] port 54343 ssh2: RSA SHA256:[REDACTED]
> sshd[27049]: pam_unix(sshd:session): session opened for user [REDACTED] by (uid=0)
> sshd[27049]: session opened for local user [REDACTED] from [REDACTED] [postauth]
> sshd[27049]: sent status No such file [postauth]
> sshd[27049]: sent status No such file [postauth]
> sshd[27049]: open "[REDACTED]" flags WRITE,CREATE,TRUNCATE mode 0666 [postauth]
> sshd[27049]: close "[REDACTED]" bytes read 0 written 5870358 [postauth]
> sshd[27049]: session closed for local user [REDACTED] from [REDACTED] [postauth]
> sshd[27049]: pam_unix(sshd:session): session closed for user [REDACTED]

- all from today's /var/log/messages .

> I wonder if it would be a bug or a feature if you can manage to get sftp
> session logging without /dev/log in the sftp user's chroot dir?

I'm in the dark whether that behavior is *intended* (and if so, by whom 
exactly), hence my reluctance to openly recommend my setup to others ...

> What CentOS and OpenSSH version do you have exactly?

Current CentOS 7 with its genuine OpenSSH package 

> Do you have special starting options?

Various hardened settings, but the only ones I'd *expect* to affect 
*logging* in *any* way would be:

> SyslogFacility AUTHPRIV
> UsePAM yes	# That's why there's messages from PAM in the log above
> UsePrivilegeSeparation sandbox
> Subsystem	sftp	internal-sftp
> Match group mandanten
>         PermitTTY no
>         ForceCommand internal-sftp -l INFO -u 0077

>> If a newly-started syslogd on server A does
>> indeed REMOVE AND RECREATE the /dev/log sockets,
> If /dev dir under sftp user's chroot dir exists but there is no "log" file in it, it gets created by syslog-ng.
> It is never removed afterwards.

If a .../dev/log is created within the .../dev/ directory *on the NFS 
share*, and never removed, that means that all the .../dev/log's there 
are were created *ONCE* by whichever syslogd got restarted *first* after 
the user was created, correct? But still only the syslogd restarted 
*last*, no matter whether on the same server or the other, gets that 
user's log messages? I'm getting a murder mystery vibe here ...

Jochen Bern

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the openssh-unix-dev mailing list