SSH / SFTP session logging

phatgeezer · 05-04-2007, 09:09 AM

We are in the process of migrating clients from vsftp (standard FTP) to SFTP to secure their login sessions. (Yes I know vsftp can do SSL if compiled to do so, but we have a client who is only prepared at the moment to do SFTP)

Auth key logins work just fine on the new server, but on our vsftp server we could get a log of every command issued by the client, and every response issued by the console, for troubleshooting. /var/log/secure even in verbose mode only seems to be recording authentications and not the sessions themselves. We need to be able to monitor what outside clients do while they are connected to our server.

Also, vsftp has a filexfer log that shows the status of all file transfers, whether they completed successfully or not. Is there a way to monitor this on SFTP? I know SFTP is basically just cp over an SSH connection, and not true FTP, but I can't be the only person who ever faced this issue.

All of the solutions I have seen seem to be directed at recording the session at the client end. I want a recording of the session on the server.

Anyone have a solution? Thanks!

unSpawn · 05-04-2007, 06:15 PM

SSH sets up a remote shell so it should honour the shell set for a user in /etc/passwd. Substituting /bin/bash for say Rootsh (or any equivalent logging shell like Sudosh?) should get you logging. If that's not what you want maybe look at what SELinux or syscall-based logging could provide. As for xfers I don't think anything can provide you with that. You win some, lose some it's still the same to me
The pleasure is to play, it makes no difference what you say
I don't share your greed, the only card I need is
The Ace Of Spades
The Ace Of Spades

//don't take it personal, just had to finish with lyrics given it's friday

haddel · 05-07-2007, 10:42 AM

One way is to setup a little wrapper environment

Like the .profile (or .bash_profile) will start logging what the users doing. Short example:

ownership like
-rw-r--r-- 1 root other 191 May 3 11:59 .bash_profile

start of logging within the .bash_profile like

/usr/bin/script -a /var/log/login.log

Should the users only copy files?
If yes, choose scponly instead of a normal shell

Only short ideas.....