New SFTP Server with Chroot Jail
Hello,
I am the new in Linux OS I want to install & configure the SFTP (Openssh)in Centos 6.3 with the Chroot jail. First time I am building a production sftp server, 1. How to install the openssh (SFTP) and configure the chroot jail for all users. 2. How we can get the log of sftp users with their upload & download data details. Please can someone help me for the installation & configuration for SFTP server. Thanks, Shailu |
Google yielded several results for setting SFTP chroot:
http://www.chriscowley.me.uk/blog/20...oot-on-centos/ http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/ Might want to try something like these and then ask questions if you have a problem. Please at least do some research first then ask questions. |
Hi Grim76,
Thanks for reply, I have already tried the sftp server with the below links before applying on the linuxquestions.org forums http://www.xpressfx.co.za/index.php/...th-chroot-jail http://www.serveridol.com/2012/03/10...e-sftp-server/ SFTP server is working with chroot, but issue that I can't get the logs of users with their upload & download data details. I got the the logs of users on /var/log/secure (only sftp account access detail),logs mentioned below.... Jun 26 19:26:02 Centos-SFTP sshd[6242]: Accepted password for ramesh from 192.168.0.10 port 29183 ssh2 Jun 26 19:26:02 Centos-SFTP sshd[6242]: pam_unix(sshd:session): session opened for user ramesh by (uid=0) Jun 26 19:26:02 Centos-SFTP sshd[6246]: subsystem request for sftp So please help me, what should be the configuration of sftp server so that I can get the sftp users logs with their upload & download data details. Thanks, Shailu |
Again a quick google with "SFTP Chroot with logging" turns up multiple hits.
|
Hi Grim,
Thanks for reply of my query, I have gone through the google sites but not get any good result I have gone through below link http://ubuntuforums.org/showthread.php?t=2081637 https://wiki.archlinux.org/index.php/SFTP_chroot Configuration on /etc/ssh/sshd_config Subsystem sftp internal-sftp -f LOCAL6 -l VERBOSE Match group sftponly ChrootDirectory /home/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp -f LOCAL6 -l VERBOSE Configuration on /etc/rsyslog.conf $AddUnixListenSocket /home/dev/log if $programname == 'sshd' then /var/log/sshd.log if $programname == 'sshd' then ~ if $programname == 'internal-sftp' then /var/log/sshd.log if $programname == 'internal-sftp' then ~ # Parse the data logged at level INFO and facility LOCAL6 into /var/log/sftp.log local6.info /var/log/sshd.log ~ I have getting only logins sftp access which mention below and not getting the logs of users with their upload & download data details. /var/log/sshd.log Jul 1 15:58:00 ubuntu-sftp sshd[8353]: Received signal 15; terminating. Jul 1 15:58:00 ubuntu-sftp sshd[9663]: Server listening on 0.0.0.0 port 22. Jul 1 15:58:00 ubuntu-sftp sshd[9663]: Server listening on :: port 22. Jul 1 16:02:36 ubuntu-sftp sshd[9663]: Received signal 15; terminating. Jul 1 16:02:36 ubuntu-sftp sshd[9833]: Server listening on 0.0.0.0 port 22. Jul 1 16:02:36 ubuntu-sftp sshd[9833]: Server listening on :: port 22. Jul 1 16:02:50 ubuntu-sftp sshd[9834]: Accepted password for test from 192.168.0.57 port 13060 ssh2 Jul 1 16:02:50 ubuntu-sftp sshd[9834]: pam_unix(sshd:session): session opened for user test by (uid=0) Jul 1 16:02:50 ubuntu-sftp sshd[9951]: subsystem request for sftp by user test Jul 1 16:03:02 ubuntu-sftp sshd[9953]: Accepted password for test from 192.168.0.57 port 13062 ssh2 Jul 1 16:03:02 ubuntu-sftp sshd[9953]: pam_unix(sshd:session): session opened for user test by (uid=0) Jul 1 16:03:02 ubuntu-sftp sshd[10070]: subsystem request for sftp by user test Jul 1 16:03:07 ubuntu-sftp sshd[9834]: pam_unix(sshd:session): session closed for user test Jul 1 16:03:12 ubuntu-sftp sshd[9953]: pam_unix(sshd:session): session closed for user test Pls hep me to get the logs of users with their upload & download data details. Thanks, Shailu2014 |
I am not sure on rsyslog, but I do know that syslog-ng works as expected. We are using syslog-ng in our environment.
Someone more knowledgeable on rsyslog may be able to chime in. |
You have this:
Code:
ChrootDirectory /home/%u Code:
$AddUnixListenSocket /home/dev/log Code:
$AddUnixListenSocket /home/shailu2014/dev/log Code:
ChrootDirectory /home |
Hi Turbocapitalist,
Thanks for your reply,I have done same steps which you have given and get the success but I am getting some issue which mention below When i configure the below steps in /etc/ssh/sshd_config then all users able see other directory and data access Subsystem sftp internal-sftp -f LOCAL6 -l VERBOSE Match group sftponly ChrootDirectory /home X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp -f LOCAL6 -l VERBOSE /etc/rsyslog.conf $AddUnixListenSocket /home/shailu2014/dev/log if $programname == 'sshd' then /var/log/sshd.log if $programname == 'sshd' then ~ if $programname == 'internal-sftp' then /var/log/sshd.log if $programname == 'internal-sftp' then ~ # Parse the data logged at level INFO and facility LOCAL6 into /var/log/sftp.log local6.info /var/log/sshd.log So please let me know to what scripts i can use so that users can come in there chroot director only. |
chroot
Code:
1 When i configure the below steps in /etc/ssh/sshd_config then all users able see other directory and data access |
/home
Quote:
Code:
ChrootDirectory /home |
I can recommend "mysecureshell" I've used years before. French development.
|
Hi Turbocapitalist,
Thanks for reply, I have gone through with your steps but not get any success. I have configure the /etc/ssh/sshd_config file (configuration mention below) Subsystem sftp internal-sftp -f LOCAL6 -l VERBOSE Match group sftponly ChrootDirectory /home X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp -d %u -f LOCAL6 -l VERBOSE configure /etc/rsyslog.conf $AddUnixListenSocket /home/dev/log if $programname == 'sshd' then /var/log/sshd.log if $programname == 'sshd' then ~ if $programname == 'internal-sftp' then /var/log/sshd.log if $programname == 'internal-sftp' then ~ # Parse the data logged at level INFO and facility LOCAL6 into /var/log/sftp.log local6.info /var/log/sshd.log After that I had tried to login ftp account (by fileZilla) then got error which mention below. Status: Connecting to 192.168.0.71... Response: fzSftp started Command: open "shailu2014@192.168.0.71" 22 Command: Pass: ******** Status: Connected to 192.168.0.71 Error: Connection closed by server with exitcode 1 Error: Could not connect to server So please help me to resolve the issue. Thanks, Shailu2014 |
You'll get more diagnostic data if you try to connect using the built-in SFTP client in verbose mode.
Code:
sftp -v shailu2014@192.168.0.71 |
I have tried to access the sftp account sftp -v shailu2014@192.168.0.71
I am not able to do the sftp by CLI which get the debug logs, mentioned below. # sftp -v shailu2014@192.168.0.71 OpenSSH_6.0p1 Debian-3ubuntu1.2, OpenSSL 1.0.1c 10 May 2012 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to 192.168.0.71 [192.168.0.71] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-3ubuntu1.2 debug1: match: OpenSSH_6.0p1 Debian-3ubuntu1.2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1.2 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA 27:79:ce:8e:9f:3e:fa:e2:29:50:7b:06:68:77:e4:91 debug1: Host '192.168.0.71' is known and matches the ECDSA host key. debug1: Found key in /root/.ssh/known_hosts:1 debug1: ssh_ecdsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/id_rsa debug1: Trying private key: /root/.ssh/id_dsa debug1: Trying private key: /root/.ssh/id_ecdsa debug1: Next authentication method: password shailu2014@192.168.0.71's password: debug1: Authentication succeeded (password). Authenticated to 192.168.0.71 ([192.168.0.71]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = en_IN debug1: Sending subsystem: sftp debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0 debug1: channel 0: free: client-session, nchannels 1 debug1: fd 0 clearing O_NONBLOCK Transferred: sent 1864, received 1600 bytes, in 0.4 seconds Bytes per second: sent 4625.8, received 3970.6 debug1: Exit status 1 Connection closed # I am using openssh version ---OpenSSH_6.0p1 Really appreciate you kind support. Thanks, Shailu2014 |
If you have OpenSSH_6.0p1 then the trick with ForceCommand internal-sftp -d %u won't work. The option -d is added first with 6.2.
So barring the availability of 6.2 or later via backports, that means that you either chroot to /home and let the users manually cd to their own home or else you have to add a socket in each and every user's chroot via /etc/rsyslog.conf By the way, you mention CentOS at the beginning but the output below suggests Ubuntu. Code:
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-3ubuntu1.2 |
All times are GMT -5. The time now is 01:02 PM. |