Blacklisting/whitelisting sftp-server commands
Jochen Bern
Jochen.Bern at binect.de
Sat Sep 4 00:33:36 AEST 2021
On 03.09.21 01:05, Travis Hayes wrote:
> I am concerned about the
> following note in the man page: 'For file transfer sessions using ''sftp'',
> no additional configuration of the environment is necessary if the
> in-process sftp server is used, *though sessions which use logging do
> require **/dev/log inside the chroot directory'*
>
> As I haven't created a /dev/log socket in the directory, I am concerned
> that there is logging information I will wish I had.
Note that providing a large number of chroots with /dev/log scales very
poorly, because you'll need to configure your syslogd(-variant) to
access and read every single one of them.
On our SFTP server - which happens to be CentOS 7 as well -, I provide
stub /etc/passwd and /etc/group (just so that directory listings will
not show bare UIDs/GIDs), an empty /dev , a /README text file for a
welcome(*), a writable subdir for the uploads, and told the sshd to
(among other things):
SyslogFacility AUTHPRIV
Subsystem sftp internal-sftp
Match group mandanten
ForceCommand internal-sftp -l INFO -u 0077
Banner /home/chroot/README
AuthorizedKeysCommand [...] (**)
AuthorizedKeysCommandUser [...]
- and nonetheless get to see all the open's and close's recorded in
/var/log/secure .
(*) Individual /READMEs get refreshed in regular intervals, by
appending the respective user's current disk quota status to the
global /home/chroot/README . I make a point of having a Banner
right from square one so that automated clients will not enter
production unless they've been taught to deal with the extra
noise.
(**) Using the AuthorizedKeysCommand system allows me to keep the
management of pubkeys a) in our hands and b) out of the chroots.
Both are our policy choices; YMMV.
Regards,
--
Jochen Bern
Systemingenieur
T +49 6151 9067-231
F +49 6151 9067-290
E jochen.bern at binect.de
W www.binect.de
Binect GmbH
Robert-Koch-Str. 9
64331 Weiterstadt
Geschäftspost.Einfach.Digital.
Wir sind nach ISO/IEC 27001:2013 und 9001:2015 zertifiziert.
BMWi fördert digitale Lösungen für KMU.
Geschäftsführung: Dr. Frank Wermeyer, Michael Imiolczyk
Unternehmenssitz: Weiterstadt
Register: Amtsgericht Darmstadt, HRB 94685
Umsatzsteuer-ID: DE 221 302 264
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210903/a1a10aa6/attachment.p7s>
More information about the openssh-unix-dev
mailing list