Aw: Re: Howto log multiple sftpd instances with their chroot shared via NFS
Jochen Bern
Jochen.Bern at binect.de
Wed Sep 29 20:46:40 AEST 2021
On 29.09.21 11:18, Hildegard Meier wrote:
> Jochen, are you sure that you see the real sftp user session detailed activity log, e.g.
>
> internal-sftp[27918]: session opened for local user <username> from [1.2.3.4]
> internal-sftp[27918]: open "/in/file.dat" flags WRITE,CREATE,TRUNCATE mode 0666
>
> etc. and not just the sshd auth log, e.g.
>
> sftpd[4772]: Accepted publickey for <username> from 1.2.3.4 port 45504 ssh2
Considering that I'm the one who gets to debug both customers'
connectivity *and* concurrent-file-operations problems, I'm *quite* sure
of that. :-)
> sshd[27049]: Accepted publickey for [REDACTED] from [REDACTED] port 54343 ssh2: RSA SHA256:[REDACTED]
> sshd[27049]: pam_unix(sshd:session): session opened for user [REDACTED] by (uid=0)
> sshd[27049]: session opened for local user [REDACTED] from [REDACTED] [postauth]
> sshd[27049]: sent status No such file [postauth]
> sshd[27049]: sent status No such file [postauth]
> sshd[27049]: open "[REDACTED]" flags WRITE,CREATE,TRUNCATE mode 0666 [postauth]
> sshd[27049]: close "[REDACTED]" bytes read 0 written 5870358 [postauth]
> sshd[27049]: session closed for local user [REDACTED] from [REDACTED] [postauth]
> sshd[27049]: pam_unix(sshd:session): session closed for user [REDACTED]
- all from today's /var/log/messages .
> I wonder if it would be a bug or a feature if you can manage to get sftp
> session logging without /dev/log in the sftp user's chroot dir?
I'm in the dark whether that behavior is *intended* (and if so, by whom
exactly), hence my reluctance to openly recommend my setup to others ...
> What CentOS and OpenSSH version do you have exactly?
Current CentOS 7 with its genuine OpenSSH package
(openssh-7.4p1-21.el7.x86_64).
> Do you have special starting options?
Various hardened settings, but the only ones I'd *expect* to affect
*logging* in *any* way would be:
> SyslogFacility AUTHPRIV
> UsePAM yes # That's why there's messages from PAM in the log above
> UsePrivilegeSeparation sandbox
> Subsystem sftp internal-sftp
> Match group mandanten
> PermitTTY no
> ForceCommand internal-sftp -l INFO -u 0077
>> If a newly-started syslogd on server A does
>> indeed REMOVE AND RECREATE the /dev/log sockets,
>
> If /dev dir under sftp user's chroot dir exists but there is no "log" file in it, it gets created by syslog-ng.
> It is never removed afterwards.
If a .../dev/log is created within the .../dev/ directory *on the NFS
share*, and never removed, that means that all the .../dev/log's there
are were created *ONCE* by whichever syslogd got restarted *first* after
the user was created, correct? But still only the syslogd restarted
*last*, no matter whether on the same server or the other, gets that
user's log messages? I'm getting a murder mystery vibe here ...
Regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210929/1eb6b4ff/attachment-0001.p7s>
More information about the openssh-unix-dev
mailing list