And no sooner do I send the email than I spot the problem. Oops! Sorry
about that.
The sshd_config needed to contain a different internal-sftp line:
Match User test-sftp-only
ChrootDirectory /home/sftp/mcsosftp
ForceCommand internal-sftp -f AUTHPRIV -l INFO
PasswordAuthentication no
AuthorizedKeysCommand /usr/local/bin/get_sftp_key
That's gotten the test server working.
Unfortunately, the production server already has that setting, so it's back
to eliminating differences.
Jeff
On Mon, Sep 14, 2015 at 6:32 PM, Jeff Cours <jtcours.bulk at gmail.com> wrote:
> Hello everyone,
>
> We have some chrooted sftp-only users on a CentOS release 6.6 server. The
> server had been logging their actions, but after recent updates the logs
> have stopped.
>
> The server correctly logs non-chrooted users:
>
> Sep 14 17:47:24 vsecure4 sshd[1981]: Accepted publickey for jcours
> from 192.168.10.166 port 42545 ssh2
> Sep 14 17:47:24 vsecure4 sshd[1981]: pam_unix(sshd:session): session
> opened for user jcours by (uid=0)
> Sep 14 17:47:24 vsecure4 sshd[1983]: subsystem request for sftp
> Sep 14 17:47:24 vsecure4 internal-sftp[1984]: session opened for local
> user jcours from [192.168.10.166]
> Sep 14 17:47:24 vsecure4 internal-sftp[1984]: opendir "/home/jcours"
> Sep 14 17:47:24 vsecure4 internal-sftp[1984]: closedir "/home/jcours"
> Sep 14 17:47:49 vsecure4 internal-sftp[1984]: session closed for local
> user jcours from [192.168.10.166]
> Sep 14 17:47:19 vsecure4 sshd[1977]: pam_unix(sshd:session): session
> closed for user jcours
>
> but log messages for chrooted users do not appear:
>
> Sep 14 17:08:11 vsecure4 sshd[1730]: Accepted publickey for
> test-sftp-only from 192.168.10.166 port 41723 ssh2
> Sep 14 17:08:11 vsecure4 sshd[1730]: pam_unix(sshd:session): session
> opened for user test-sftp-only by (uid=0)
> Sep 14 17:08:11 vsecure4 sshd[1734]: subsystem request for sftp
> Sep 14 17:08:22 vsecure4 sshd[1730]: pam_unix(sshd:session): session
> closed for user test-sftp-only
>
> Notice that there are no "opendir" or "closedir" messages for the chrooted
> user, or anything else from the internal-sftp system, for that matter.
>
> /etc/sshd_config contains these settings:
>
> Subsystem sftp internal-sftp -f AUTHPRIV -l INFO
>
> Match User test-sftp-only
> ChrootDirectory /home/sftp/mcsosftp
> ForceCommand internal-sftp
> PasswordAuthentication no
> AuthorizedKeysCommand /usr/local/bin/get_sftp_key
>
> We've been setting up chrooted logging using this sequence:
>
> sudo mkdir /home/sftp/mcsosftp/dev
> sudo touch /home/sftp/mcsosftp/dev/log
> sudo chattr +i /home/sftp/mcsosftp/dev
> sudo mount --bind /dev/log /home/sftp/mcsosftp/dev/log
>
> /etc/rsyslog.conf includes the standard stuff for authpriv:
>
> # The authpriv file has restricted access.
> authpriv.* /var/log/secure
>
> I've tried forcing rsyslog.conf to listen to /dev/log:
>
> # We should be listening here.
> $SystemLogSocketName /dev/log
>
> I've also tried removing the hard-mounted /home/sftp/mcsosftp/dev/log and
> instead using this in /etc/rsyslog.conf:
>
> # For chrooted users, generally sftp-only users.
> $AddUnixListenSocket /home/sftp/mcsosftp/dev/log
>
> Neither approach seemed to help the problem, though rsyslogd does appear
> to be listening to the sockets:
>
> $ sudo lsof -c rsyslogd | grep dev/log
> lsof: WARNING: can't stat() devtmpfs file system /home/sftp/dev/log
> (deleted)
> Output information may be incomplete.
> rsyslogd 1963 root 0u unix 0xdc100040 0t0 15419 /dev/log
> rsyslogd 1963 root 3u unix 0xdbd27dc0 0t0 15421
> /home/sftp/mcsosftp/dev/log
>
> and file identifies both as sockets:
>
> $ file /dev/log
> /dev/log: socket
>
> $ sudo file /home/sftp/mcsosftp/dev/log
> /home/sftp/mcsosftp/dev/log: socket
>
> Here's additional system info for the development server I'm using to
> debug the problem:
>
> $ ls -l /dev/log
> srw-rw-rw- 1 root root 0 Sep 14 17:43 /dev/log
>
> $ sudo ls -l /home/sftp/mcsosftp/dev/log
> srw-rw-rw- 1 root root 0 Sep 14 17:43 /home/sftp/mcsosftp/dev/log
>
> $ ls -l /dev | grep log
> srw-rw-rw- 1 root root 0 Sep 14 17:43 log
> crw-rw---- 1 root root 10, 227 Sep 14 15:23 mcelog
>
> $ sudo ls -l /home/sftp/mcsosftp/dev | grep log
> srw-rw-rw- 1 root root 0 Sep 14 17:43 log
>
> $ cat /etc/redhat-release
> CentOS release 6.6 (Final)
>
> $ sestatus
> SELinux status: disabled
>
> $ grep test-sftp-only /etc/passwd
> test-sftp-only:x:507:507:Test SFTP
> Only:/home/sftp/mcsosftp:/sbin/nologin
>
> $ sudo yum list installed | egrep -E 'rsyslog|ssh|sftp'
> libssh2.i686 1.4.2-1.el6_6.1 @updates
> openssh.i686 5.3p1-104.el6_6.1 @updates
> openssh-clients.i686 5.3p1-104.el6_6.1 @updates
> openssh-server.i686 5.3p1-104.el6_6.1 @updates
> rsyslog.i686 5.8.10-10.el6_6 @updates
> vsftpd.i686 2.2.2-14.el6 @base
>
> Corresponding packages on the production server showing the same problem:
>
> $ sudo yum list installed | egrep -E 'rsyslog|ssh|sftp'
> libssh2.x86_64 1.4.2-1.el6_6.1
> @system-updates
> openssh.x86_64 5.3p1-112.el6_7
> @system-updates
> openssh-clients.x86_64 5.3p1-112.el6_7
> @system-updates
> openssh-server.x86_64 5.3p1-112.el6_7
> @system-updates
> rsyslog.x86_64 5.8.10-10.el6_6
> @system-updates
> rsyslog-gnutls.x86_64 5.8.10-10.el6_6
> @system-updates
>
>
> Does anyone have any ideas what the problem could be or how to diagnose it?
>
> Thanks very much in advance,
> Jeff
>
>