New SFTP Server with Chroot Jail
 

Hello,

I am the new in Linux OS I want to install & configure the SFTP (Openssh)in Centos 6.3 with the Chroot jail. First time I am building a production sftp server,

1. How to install the openssh (SFTP) and configure the chroot jail for all users.
2. How we can get the log of sftp users with their upload & download data details.

Please can someone help me for the installation & configuration for SFTP server.

Thanks,
Shailu

Google yielded several results for setting SFTP chroot:

http://www.chriscowley.me.uk/blog/20...oot-on-centos/
http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/

Might want to try something like these and then ask questions if you have a problem. Please at least do some research first then ask questions.

Hi Grim76,

Thanks for reply, I have already tried the sftp server with the below links before applying on the linuxquestions.org forums

http://www.xpressfx.co.za/index.php/...th-chroot-jail

http://www.serveridol.com/2012/03/10...e-sftp-server/

SFTP server is working with chroot, but issue that I can't get the logs of users with their upload & download data details.

I got the the logs of users on /var/log/secure (only sftp account access detail),logs mentioned below....

Jun 26 19:26:02 Centos-SFTP sshd[6242]: Accepted password for ramesh from 192.168.0.10 port 29183 ssh2
Jun 26 19:26:02 Centos-SFTP sshd[6242]: pam_unix(sshd:session): session opened for user ramesh by (uid=0)
Jun 26 19:26:02 Centos-SFTP sshd[6246]: subsystem request for sftp

So please help me, what should be the configuration of sftp server so that I can get the sftp users logs with their upload & download data details.

Thanks,
Shailu

Again a quick google with "SFTP Chroot with logging" turns up multiple hits.

Hi Grim,

Thanks for reply of my query, I have gone through the google sites but not get any good result

I have gone through below link
http://ubuntuforums.org/showthread.php?t=2081637
https://wiki.archlinux.org/index.php/SFTP_chroot

Configuration on /etc/ssh/sshd_config

Subsystem sftp internal-sftp -f LOCAL6 -l VERBOSE
Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -f LOCAL6 -l VERBOSE

Configuration on /etc/rsyslog.conf

$AddUnixListenSocket /home/dev/log

if $programname == 'sshd' then /var/log/sshd.log
if $programname == 'sshd' then ~
if $programname == 'internal-sftp' then /var/log/sshd.log
if $programname == 'internal-sftp' then ~

# Parse the data logged at level INFO and facility LOCAL6 into /var/log/sftp.log
local6.info /var/log/sshd.log

~

I have getting only logins sftp access which mention below and not getting the logs of users with their upload & download data details.

/var/log/sshd.log

Jul 1 15:58:00 ubuntu-sftp sshd[8353]: Received signal 15; terminating.
Jul 1 15:58:00 ubuntu-sftp sshd[9663]: Server listening on 0.0.0.0 port 22.
Jul 1 15:58:00 ubuntu-sftp sshd[9663]: Server listening on :: port 22.
Jul 1 16:02:36 ubuntu-sftp sshd[9663]: Received signal 15; terminating.
Jul 1 16:02:36 ubuntu-sftp sshd[9833]: Server listening on 0.0.0.0 port 22.
Jul 1 16:02:36 ubuntu-sftp sshd[9833]: Server listening on :: port 22.
Jul 1 16:02:50 ubuntu-sftp sshd[9834]: Accepted password for test from 192.168.0.57 port 13060 ssh2
Jul 1 16:02:50 ubuntu-sftp sshd[9834]: pam_unix(sshd:session): session opened for user test by (uid=0)
Jul 1 16:02:50 ubuntu-sftp sshd[9951]: subsystem request for sftp by user test
Jul 1 16:03:02 ubuntu-sftp sshd[9953]: Accepted password for test from 192.168.0.57 port 13062 ssh2
Jul 1 16:03:02 ubuntu-sftp sshd[9953]: pam_unix(sshd:session): session opened for user test by (uid=0)
Jul 1 16:03:02 ubuntu-sftp sshd[10070]: subsystem request for sftp by user test
Jul 1 16:03:07 ubuntu-sftp sshd[9834]: pam_unix(sshd:session): session closed for user test
Jul 1 16:03:12 ubuntu-sftp sshd[9953]: pam_unix(sshd:session): session closed for user test


Pls hep me to get the logs of users with their upload & download data details.

Thanks,
Shailu2014

I am not sure on rsyslog, but I do know that syslog-ng works as expected. We are using syslog-ng in our environment.

Someone more knowledgeable on rsyslog may be able to chime in.

You have this:

Which does not match this:

You'll either need to make a log socket in each user's directory.

Or else change your chroot to match your log

Hi Turbocapitalist,

Thanks for your reply,I have done same steps which you have given and get the success but I am getting some issue which mention below

When i configure the below steps in /etc/ssh/sshd_config then all users able see other directory and data access

Subsystem sftp internal-sftp -f LOCAL6 -l VERBOSE
Match group sftponly
ChrootDirectory /home
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -f LOCAL6 -l VERBOSE


/etc/rsyslog.conf

$AddUnixListenSocket /home/shailu2014/dev/log

if $programname == 'sshd' then /var/log/sshd.log
if $programname == 'sshd' then ~
if $programname == 'internal-sftp' then /var/log/sshd.log
if $programname == 'internal-sftp' then ~

# Parse the data logged at level INFO and facility LOCAL6 into /var/log/sftp.log
local6.info /var/log/sshd.log


So please let me know to what scripts i can use so that users can come in there chroot director only.

chroot
 

Lines 5 and 13 have to match. If you have chroot to /home then you can have the log socket in /home/dev/ If you chroot to /home/user2 then the socket has to be in /home/user2/dev/ and so on.

/home
 

If you want to chroot to just home but put the users into their respective directories anyway, the -d option can do that.

Then if you want to prevent them from reading eachother's home directories, chmod the home directories to 0700. If you don't want them to even be able to see the other names inside the home directory, chmod /home to 0701.

I can recommend "mysecureshell" I've used years before. French development.

Hi Turbocapitalist,

Thanks for reply, I have gone through with your steps but not get any success.

I have configure the /etc/ssh/sshd_config file (configuration mention below)

Subsystem sftp internal-sftp -f LOCAL6 -l VERBOSE

Match group sftponly
ChrootDirectory /home
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -d %u -f LOCAL6 -l VERBOSE

configure /etc/rsyslog.conf
$AddUnixListenSocket /home/dev/log

if $programname == 'sshd' then /var/log/sshd.log
if $programname == 'sshd' then ~
if $programname == 'internal-sftp' then /var/log/sshd.log
if $programname == 'internal-sftp' then ~

# Parse the data logged at level INFO and facility LOCAL6 into /var/log/sftp.log
local6.info /var/log/sshd.log

After that I had tried to login ftp account (by fileZilla) then got error which mention below.

Status: Connecting to 192.168.0.71...
Response: fzSftp started
Command: open "shailu2014@192.168.0.71" 22
Command: Pass: ********
Status: Connected to 192.168.0.71
Error: Connection closed by server with exitcode 1
Error: Could not connect to server

So please help me to resolve the issue.

Thanks,
Shailu2014

You'll get more diagnostic data if you try to connect using the built-in SFTP client in verbose mode.

Also, which version of OpenSSH server are you using?

I have tried to access the sftp account sftp -v shailu2014@192.168.0.71

I am not able to do the sftp by CLI which get the debug logs, mentioned below.

# sftp -v shailu2014@192.168.0.71
OpenSSH_6.0p1 Debian-3ubuntu1.2, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.0.71 [192.168.0.71] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-3ubuntu1.2
debug1: match: OpenSSH_6.0p1 Debian-3ubuntu1.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 27:79:ce:8e:9f:3e:fa:e2:29:50:7b:06:68:77:e4:91
debug1: Host '192.168.0.71' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Next authentication method: password
shailu2014@192.168.0.71's password:
debug1: Authentication succeeded (password).
Authenticated to 192.168.0.71 ([192.168.0.71]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_IN
debug1: Sending subsystem: sftp
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
Transferred: sent 1864, received 1600 bytes, in 0.4 seconds
Bytes per second: sent 4625.8, received 3970.6
debug1: Exit status 1
Connection closed
#

I am using openssh version ---OpenSSH_6.0p1

Really appreciate you kind support.

Thanks,
Shailu2014

If you have OpenSSH_6.0p1 then the trick with ForceCommand internal-sftp -d %u won't work. The option -d is added first with 6.2.

So barring the availability of 6.2 or later via backports, that means that you either chroot to /home and let the users manually cd to their own home or else you have to add a socket in each and every user's chroot via /etc/rsyslog.conf

By the way, you mention CentOS at the beginning but the output below suggests Ubuntu.