Howto log multiple sftpd instances with their chroot shared via NFS
Jochen Bern
Jochen.Bern at binect.de
Wed Sep 22 21:06:43 AEST 2021
On 22.09.21 11:18, David Newall wrote:
> On Tue, 21 Sep 2021, Hildegard Meier wrote:
>> So, if a user logs in on the first server, where syslog-ng was started
>> least, the user's sftp activity is logged on the first server.
>> But if the user logs in on the second server, it's sftp activity is
>> not logged, neither on the second nor on the first server.
>
> Forward the log entries on both machines to a log host.
Considering that server B is not logging *at all* right now, I doubt
that it'll have anything to forward to a log host, either.
The problem *presumably* is that the syslogd on server A has put some
sort of file lock on the device that propagates through the NFS server
and interferes with syslogd on server B using it.
One solution might be to reconfigure the syslogd's to use a method of
locking that does *not* propagate through NFS. I'm afraid I don't know
syslog-ng well enough to advise on that.
Then there's the possibility of reconfiguring *NFS* to stop the
forwarding, but "breaking" file locking on NFS is, of course, a can of
worms of possible side effects ...
(Bind) mounting a local .../dev over the NFS-shared chroot dirtree ...
ought to work, but complicates unmounting/remounting, which was already
enough of a hair-puller in failure scenarios when I last worked with NFS.
What do the chrooted users have for a homedir *within* the chroot? Would
it be possible to have /var/data/chroot be a local FS and mount only
/var/data/chroot/home from the NFS server? (If there are files that you
need to keep identical on both servers, e.g., under
/var/data/chroot/etc, you can still symlink those to some special subdir
like /var/data/chroot/home/ETC to put the actual data onto the NFS share.)
Regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210922/b8e64b32/attachment.p7s>
More information about the openssh-unix-dev
mailing list