Howto log multiple sftpd instances with their chroot shared via NFS

Douglas E Engert deengert at gmail.com
Wed Sep 29 23:57:35 AEST 2021 

Correction:


On 9/29/2021 8:34 AM, Douglas E Engert wrote:
> Thanks for the info on the single NFS volume mount.
> 
> Another take on the direct bind mount:
> 
> 
> If server1 did:
> source s_chroot_<username> { unix-stream("/var/data/chroot/<username>/dev/log_server1" optional(yes) ); };
> 
> Then for each user server1 would also do (or have in fstab):
> mount -bind /var/data/chroot/<username>/dev/log /var/data/chroot/<username>/dev/log_server1
> 
> and server2 did:
> source s_chroot_<username> { unix-stream("/var/data/chroot/<username>/dev/log_server1" optional(yes) ); };

  Should read:
source s_chroot_<username> { unix-stream("/var/data/chroot/<username>/dev/log_server2" optional(yes) ); };



> and also do this:
> mount -move /var/data/chroot/<username>/dev/log /var/data/chroot/<username>/dev/log_server2
> 
> This would allow each server to have its own /dev/log_host so they would not overwrite each others,
> but when the libc went to write to the chrooted  /dev/log, the kernel would write to /dev/log_serverX because
> the direct bind is in the host's kernel.
> 
> 
> 
> I have not tried this.
> 
> 
> 
> On 9/29/2021 3:42 AM, Hildegard Meier wrote:
>> Hi, I tried now the following:
>>
>> Add the following line to /etc/fstab:
>>
>> /var/data/chroot                            /usr/local/sftp_chroot_bind_mount   none    bind                0       2
>>
>> Then:
>> mkdir /usr/local/sftp_chroot_bind_mount
>> mount /usr/local/sftp_chroot_bind_mount
>>
>> to bind-mount the users's chroot home to /usr/local/sftp_chroot_bind_mount
>>
>> Then replace in the syslog-ng config:
>>
>> source s_chroot_<username>    { unix-stream("/var/data/chroot/<username>/dev/log" optional(yes) ); };
>> with
>> source s_chroot_<username>    { unix-stream("/usr/local/sftp_chroot_bind_mount/<username>/dev/log" optional(yes) ); };
>>
>> Restart syslog-ng
>>
>> That would have been such a simple workaround.
>> But unfortunately, the problem is not solved with this.
>> The problem is the same, that there is sftp logging only on the sftp server where syslog-ng was restarted least.
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>> .
>>
> 

-- 

  Douglas E. Engert  <DEEngert at gmail.com>

More information about the openssh-unix-dev mailing list