LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Password
Red Hat This forum is for the discussion of Red Hat Linux.

Notices

Reply
 
Search this Thread
Old 01-31-2012, 07:08 PM   #1
NDarkstar
LQ Newbie
 
Registered: Jan 2012
Posts: 4

Rep: Reputation: Disabled
Chroot Jail + SFTP Logging on RHEL / CentOS6 - Logs Not Occuring


Hello Everyone,

Having a bit of an issue with CentOS 6.2. Specifically, I've set up a chroot jail which only permits sftp access to a specific home directory.

The jail works as I'd expect it to with the exception of the logging.

My changes to /etc/sshd_config were to comment out the default Subsystem entry and add the following:
Code:
Subsystem       sftp    internal-sftp -l VERBOSE -f LOCAL6

Match User webuser
        ChrootDirectory /home/live/example.com
        ForceCommand internal-sftp -l VERBOSE -f LOCAL6
        AllowTcpForwarding no
        X11Forwarding no
/etc/rsyslog.conf had the following lines added:
Code:
$AddUnixListenSocket /home/live/example.com/dev/log
local6.* /var/log/sftp.log
When accessing the server via sftp with any user but webuser, the jail is not activated and sftp logging is written to /var/log/sftp.log as expected. When logging in via sftp as webuser, the jail operates properly but only what I assume is the basic AUTHPRIV data is recorded into /var/log/secure. Specifically:
Code:
Jan 31 17:02:20 server sshd[8058]: Accepted password for webuser from 192.168.1.100 port 53361 ssh2
Jan 31 17:02:20 server sshd[8058]: pam_unix(sshd:session): session opened for user webuser by (uid=0)
Jan 31 17:02:20 server sshd[8063]: subsystem request for sftp
Jan 31 17:02:21 server sshd[8058]: pam_unix(sshd:session): session closed for user webuser
Stopping and starting the rsyslog daemon will remove and create the listen socket at /home/live/example.com/dev/log.

The installed versions of openssh and rsyslog are 5.3 and 4.6.2 respectively.

Any thoughts?


Brad
 
Old 02-02-2012, 02:55 PM   #2
starmonche
Member
 
Registered: Jan 2007
Location: Overland Park
Distribution: Centos6
Posts: 60

Rep: Reputation: 15
I have the same issue on an updated minimal x86 CentOS 6.2 installation. It appears that the Subsystem logs go into the facility you specify but the chroot logs continue going into /var/log/secure.

I notice that you can set umask with ForceCommand now, though.

Last edited by starmonche; 02-02-2012 at 02:56 PM.
 
Old 02-02-2012, 02:59 PM   #3
NDarkstar
LQ Newbie
 
Registered: Jan 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
I'd be fine with the lack of redirection, but the chrooted logs aren't using the verbose logging either. It's almost like the ForceCommand is ignoring the flags.
 
Old 02-02-2012, 03:05 PM   #4
starmonche
Member
 
Registered: Jan 2007
Location: Overland Park
Distribution: Centos6
Posts: 60

Rep: Reputation: 15
If it helps figure out the "why", the logs in /var/log/secure are from sshd but the logs from users outside the "Match User" clause (that redirect properly) are from internal-sftpd.
 
Old 02-02-2012, 03:06 PM   #5
starmonche
Member
 
Registered: Jan 2007
Location: Overland Park
Distribution: Centos6
Posts: 60

Rep: Reputation: 15
Per your reply, this page http://ccsales.com/wpblog/openssh-lo...-sftp-clients/ makes mention of the INFO and VERBOSE logs appearing to be the same. I see that DEBUG kicks out more data than info, though.

Last edited by starmonche; 02-02-2012 at 03:16 PM.
 
Old 02-02-2012, 03:26 PM   #6
NDarkstar
LQ Newbie
 
Registered: Jan 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
Right, but the default logging level is AUTHPRIV and not INFO/VERBOSE. So if a non-chrooted user logs in, I get data in /var/log/sftp.log that looks like this:

Code:
Feb  2 13:20:35 server internal-sftp[23661]: session opened for local user fulluser from [192.168.1.100]
Feb  2 13:20:35 server internal-sftp[23661]: received client version 3
Feb  2 13:20:35 server internal-sftp[23661]: realpath "."
Feb  2 13:20:35 server internal-sftp[23661]: realpath "/home/fulluser/."
Feb  2 13:20:35 server internal-sftp[23661]: opendir "/home/fulluser"
Feb  2 13:20:35 server internal-sftp[23661]: closedir "/home/fulluser"
Feb  2 13:20:35 server internal-sftp[23661]: realpath "/home/fulluser/Maildir"
Feb  2 13:20:35 server internal-sftp[23661]: stat name "/home/fulluser/Maildir"
Feb  2 13:20:57 server internal-sftp[23661]: session closed for local user fulluser from [192.168.1.100]
 
Old 02-02-2012, 03:31 PM   #7
NDarkstar
LQ Newbie
 
Registered: Jan 2012
Posts: 4

Original Poster
Rep: Reputation: Disabled
(Responding to replies out of order)

So it looks like the sshd logging is working properly but for whatever reason, internal-sftp isn't using the log socket that was created in the chrooted /dev/ directory.
 
Old 02-02-2012, 04:19 PM   #8
starmonche
Member
 
Registered: Jan 2007
Location: Overland Park
Distribution: Centos6
Posts: 60

Rep: Reputation: 15
It's using the socket (cutting back the permissions to chroothome/dev/log keeps it from logging chroot activity at all) but it ignores the facility parameter.
 
Old 09-07-2013, 12:15 AM   #9
saifelyzal
LQ Newbie
 
Registered: Jun 2011
Distribution: Redhat
Posts: 28

Rep: Reputation: Disabled
SFTP Loggin

Steps
edit sshd_config

Subsystem sftp internal-sftp -f AUTHPRIV -l VERBOSE
Match Group sftponly
ChrootDirectory /chroot
ForceCommand internal-sftp -f AUTHPRIV -l VERBOSE
AllowTcpForwarding no
#
rsyslog.conf or create file in /etc/rsyslog.d/file.conf, and below line to the file

$AddUnixListenSocket /chroot/dev/log
###

mkdir -p /chroot/dev


mount -o bind /home /chroot/dev
#
service rsyslog restart
service sshd restart

Note you don't need to create log directory manually rsyslog will take care off it since its socket file

login with sftp user, do some upload, download
####


check

/var/log/secure
/var/log/audit/audit.log

Last edited by saifelyzal; 09-07-2013 at 12:20 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to setup SFTP chroot jail for some particular user. jeesun Linux - Security 1 08-09-2011 10:58 PM
Getting SFTP logs from a chroot jail beairstos Linux - Server 1 10-01-2009 08:20 AM
Chroot jail for sftp, Solaris 10, OpenSSH_5.1p1 saskak Solaris / OpenSolaris 1 12-14-2008 09:31 PM
sftp chroot jail, not able to find lib files drolic Linux - Security 3 11-23-2005 11:57 AM
chroot jail sftp users f1uke Linux - Security 1 07-28-2003 10:29 AM


All times are GMT -5. The time now is 07:17 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration