Maybe one of you can help. We have set up a CentOS server so that each user who logs in via sftp will be jailed in their home directory. Here's the relevant sshd_config:
# override default of no subsystems Subsystem sftp internal-sftp -f LOCAL2 -l INFO
Match Group sftponly ChrootDirectory /home/%u ForceCommand internal-sftp
This actually works great, but none of the activities of sftponly group members is getting logged. The man page for sftp-server says:
"For logging to work, sftp-server must be able to access /dev/log. Use of sftp-server in a chroot configuation therefore requires that syslogd(8) establish a logging socket inside the chroot directory."
How do I establish a logging socket inside the chroot directory, when the chroot directory is different depending on which user is logging in at any given time? I don't want to run separate sockets in every customer's chroot directory, this is not practical.
Any ideas?
Each user has their own jail?
I solved a similar issue with jail and syslog adding a "-a /home/jail/dev/log" parameter to syslog startup.
From the syslogd man page:
-a socket Using this argument you can specify additional sockets from that syslogd has to listen to. This is needed if you're going to let some daemon run within a chroot() environment. You can use up to 19 additional sockets. If your environment needs even more, you have to increase the symbol MAXFUNIX within the syslogd.c source file. An example for a chroot() daemon is described by the people from OpenBSD at http://www.psionic.com/papers/dns.html.
Regards Lincoln
On Wed, Feb 10, 2010 at 7:08 PM, Sean Carolan scarolan@gmail.com wrote:
Maybe one of you can help. We have set up a CentOS server so that each user who logs in via sftp will be jailed in their home directory. Here's the relevant sshd_config:
# override default of no subsystems Subsystem sftp internal-sftp -f LOCAL2 -l INFO
Match Group sftponly ChrootDirectory /home/%u ForceCommand internal-sftp
This actually works great, but none of the activities of sftponly group members is getting logged. The man page for sftp-server says:
"For logging to work, sftp-server must be able to access /dev/log. Use of sftp-server in a chroot configuation therefore requires that syslogd(8) establish a logging socket inside the chroot directory."
How do I establish a logging socket inside the chroot directory, when the chroot directory is different depending on which user is logging in at any given time? I don't want to run separate sockets in every customer's chroot directory, this is not practical.
Any ideas? _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I solved a similar issue with jail and syslog adding a "-a /home/jail/dev/log" parameter to syslog startup.
In our environment the chroot jail is /home/username. Does this mean we need a /home/username/dev/log for each and every user? If the daemon is chroot'd to /home/username wouldn't this be the case?
If you have: /home/username01/[etc,dev,tmp,bin,lib] /home/username02/[etc,dev,tmp,bin,lib] /home/username03/[etc,dev,tmp,bin,lib] /home/username04/[etc,dev,tmp,bin,lib]
I believe you will need: syslogd -a "/home/username01/dev/log" -a "/home/username02/dev/log" -a "/home/username03/dev/log" -a "/home/username04/dev/log" - or something like this. I don't know the syntax for multiples "-a"...
Regards Lincoln
On Wed, Feb 10, 2010 at 9:39 PM, Sean Carolan scarolan@gmail.com wrote:
I solved a similar issue with jail and syslog adding a "-a /home/jail/dev/log" parameter to syslog startup.
In our environment the chroot jail is /home/username. Does this mean we need a /home/username/dev/log for each and every user? If the daemon is chroot'd to /home/username wouldn't this be the case? _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I believe you will need: syslogd -a "/home/username01/dev/log" -a "/home/username02/dev/log" -a "/home/username03/dev/log" -a "/home/username04/dev/log" - or something like this. I don't know the syntax for multiples "-a"...
This seems very impractical, both from a security standpoint and the fact that you are limited to only 19 users. Is there any other means to accomplish detailed sftp logging while users are chroot'd to their home directories?
-
Lincoln Zuljewic Silva -
nate -
Sean Carolan