I have seen many posts on how to set up chroot jail’ed sftp using openssh, but few cover the logging aspects in detail. This tries to cover some of the issues and solutions.<\/p>\n
SFTP is ftp wrapped in a SSH secure environment. It is used to transfer files securely and is now used widely to transfer files between servers securely. Open SSH is the most common ssh implementation and includes all the required configuration logic to allow group based access control and chroot jail’ing of users.<\/p>\n
In this example I am going to set up a group of users that require SFTP access only (no SSH) and are going to copy files to a filesystem on a SFTP server. The location of the filesystem is going to be \/sftp and users will reside in seperate folders under here.<\/p>\n
Initially a new group should be created, here called “sftpuser”. Each user that requires SFTP access will be placed in this group.<\/p>\n
The sshd_config (on debian in \/etc\/ssh) should be edited and the following added on the end:-<\/p>\n
Match group sftpuser\r\n ChrootDirectory \/sftp\/%u\r\n X11Forwarding no\r\n AllowTcpForwarding no\r\n ForceCommand internal-sftp -l VERBOSE -f LOCAL6<\/pre>\nThis does the following:-<\/p>\n
\n
- Forces all users connecting via ssh on port 22 to have sftp only<\/li>\n
- Runs their sftp session in a chroot jail in directory \/sftp\/$USER<\/li>\n
- Prevents them TCP of X11 forwarding connections<\/li>\n
- Runs the internal sftp server getting it to log verbose and to syslog channel name LOCAL6<\/strong><\/li>\n<\/ol>\n
Now a user should be created, without creating a home directory and in the default group sftpuser<\/strong>. On ubuntu you can enter:-<\/p>\n
adduser --home \/ --gecos \"First Test SFTP User\" --group sftpuser --no-create-home --shell \/bin\/false testuser1<\/pre>\nThe reason the home directory is set to \/ is that the sftp will chroot to \/sftp\/testuser1. Next the users home directory will need creating:-<\/p>\n
mkdir \/sftp\/testuser1\r\nchmod 755 \/sftp\/testuser1\r\nmkdir \/sftp\/tstuser1\/in\r\nmkdir \/sftp\/testuser1\/out\r\nchown testuser1 \/sftp\/testuse1\/in<\/pre>\nNote that the directory structure and permissions that you set may differ depending on your requirements. The users password should be set, and sshd restarted (on debian service ssh restart).<\/p>\n
Now it should be possible to sftp files to the host using the command line sftp tool, but it should not be possible to ssh to the server as user testuser1.<\/p>\n
Logging<\/h2>\n
You will see verbose sftp logging being produced in the \/var\/logmessages for each chroot’ed user, where by default this should go to the daemon.log. The reason for this is that the chroot’ed sftp process can not open \/dev\/log as this is not within the chrooted filesystem.<\/p>\n
There are two fixes to this problem, depending on the filesystem configuration.<\/p>\n
If the users sftp directory \/sftp\/user is on the root filesystem<\/h3>\n
You can create a hard link to mimic the device:-<\/p>\n
mkdir \/sftp\/testuser1\/dev\r\nchmod 755 \/sftp\/testuser1\/dev\r\nln \/dev\/log \/sftp\/testuser1\/dev\/log<\/pre>\nIf the users sftp directory is NOT on the root filesystem<\/h3>\n
First syslog or rsyslog will need use an additonal logging socket within the users filesystem. For my example \/sftp is a seperate sftp filesystem.<\/p>\n
For Redhat<\/h4>\n
On redhat syslog is used, so I altered \/etc\/sysconfif\/syslog so that the line:-<\/p>\n
SYSLOGD_OPTIONS=\"-m 0\"<\/pre>\nreads:-<\/p>\n
SYSLOGD_OPTIONS=\"-m 0 -a \/sftp\/sftp.log.socket<\/pre>\nFinally the syslog daemon needs to be told to log messages for LOCAL6 to the \/var\/log\/sftp.log file, so the following was added to \/etc\/syslog.conf:-<\/p>\n
# For SFTP logging\r\nlocal6.*\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\/var\/log\/sftp.log<\/pre>\nand syslog was restarted.<\/p>\n
For Ubuntu Lucid<\/h4>\n
On Ubuntu lucid I created \/etc\/rsyslog.d\/sshd.conf containing:-<\/p>\n
# Create an additional socket for some of the sshd chrooted users.\r\n$AddUnixListenSocket \/sftp\/sftp.log.socket\r\n# Log internal-sftp in a separate file\r\n:programname, isequal, \"internal-sftp\" -\/var\/log\/sftp.log\r\n:programname, isequal, \"internal-sftp\" ~<\/pre>\n… and restarted rsyslogd.<\/p>\n
Creating log devices for users<\/h4>\n
Now for each user a \/dev\/log device needs creating:-<\/p>\n
mkdir \/sftp\/testuser1\/dev\r\nchmod 755 \/sftp\/testuser1\/dev\r\nln \/sftp\/sftp.log.socket \/sftp\/testuser1\/dev\/log<\/pre>\nLog Rotation<\/h2>\n
TBD<\/p>\n
Producing xfer logs<\/h2>\n
The format of the logging from openssh’es sftp server is a little cryptic. The perl script here<\/a> can be used to produce an proftp like xfer log<\/a>. Bigmite Software Solutions <\/a>are experts in finding simple solutions to everyday problems.<\/p>\n
Several people have said they had trouble running the script to produce Xfer logs. I’ll try to write a wrapper for ubuntu logroate and redhat later, but for now:-<\/p>\n
Save script somewhere sensible and run “chmod +x createXferLog”, then to create a Xfer log from another log file simply type:-<\/p>\n
createXferLog logfile > xfer.log<\/p>\n
The file will be the syslog, or daemon log depending on system, the file with sshd logs in,<\/p>\n
or<\/p>\n
cat logfile | createXferLog > xfer.log<\/p>\n","protected":false},"excerpt":{"rendered":"
Introduction I have seen many posts on how to set up chroot jail’ed sftp using openssh, but few cover the logging aspects in detail. This tries to cover some of the issues and solutions. SFTP SFTP is ftp wrapped in a SSH secure environment. It is used to transfer files securely and is now used … Continue reading “Chroot sftp using openssh and logging”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[],"_links":{"self":[{"href":"https:\/\/karlsblog.bigmight.com\/blog\/wp-json\/wp\/v2\/posts\/31"}],"collection":[{"href":"https:\/\/karlsblog.bigmight.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/karlsblog.bigmight.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/karlsblog.bigmight.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/karlsblog.bigmight.com\/blog\/wp-json\/wp\/v2\/comments?post=31"}],"version-history":[{"count":5,"href":"https:\/\/karlsblog.bigmight.com\/blog\/wp-json\/wp\/v2\/posts\/31\/revisions"}],"predecessor-version":[{"id":33,"href":"https:\/\/karlsblog.bigmight.com\/blog\/wp-json\/wp\/v2\/posts\/31\/revisions\/33"}],"wp:attachment":[{"href":"https:\/\/karlsblog.bigmight.com\/blog\/wp-json\/wp\/v2\/media?parent=31"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/karlsblog.bigmight.com\/blog\/wp-json\/wp\/v2\/categories?post=31"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/karlsblog.bigmight.com\/blog\/wp-json\/wp\/v2\/tags?post=31"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}