How to log internal-sftp chroot jailed users

Latest response

We have been working with a customer that has a need to log events for
sftp users that are configured to use a chroot jail environment.

 

They need to log the commands entered and the files accessed by the
chroot user.    Unfortunately all attempts to recreate what has been
done in other non-Red Hat discussions seems to fail.   The events are
logged using sftp as long as they don't involved chroot'd users.
As soon as the users login to the chrootdirectory environment, the
logging stops and no errors are recorded so we are assuming there are
no obvious errors in permissions or ownership of chroot'd directories
or files and as per the existing documentation, we cannot find any
errors in configuration.    So we can only conclude that either a
step has been ommited or there is some vital code missing.

 

We have configured both 32 and 64 bit systems running RHES V6.1 with
ssh 5.3p1-52 on the 64 bit system and ssh 5.3p1-70 on the 32 bit system:

 

# rpm -qa | grep ssh
openssh-clients-5.3p1-52.el6.x86_64
libssh2-1.2.2-7.el6.x86_64
openssh-askpass-5.3p1-52.el6.x86_64
ksshaskpass-0.5.1-4.1.el6.x86_64
openssh-5.3p1-52.el6.x86_64
openssh-server-5.3p1-52.el6.x86_64

 

libssh2-1.2.2-7.el6.i686
openssh-askpass-5.3p1-70.el6.i686
ksshaskpass-0.5.1-4.1.el6.i686
openssh-clients-5.3p1-70.el6.i686
openssh-server-5.3p1-70.el6.i686
openssh-5.3p1-70.el6.i686

 

We have configured /etc/ssh/sshd_config with the appropriate entries
as per the suggested documentaion:

 

Subsystem       sftp    internal-sftp -f LOCAL6 -l INFO

Match Group sftponly
        ChrootDirectory /chroots/%u
        AllowTcpForwarding no
        ForceCommand internal-sftp -f LOCAL6 -l INFO
        X11Forwarding no

 

And we have added the following line in /etc/rsyslog.conf to ensure
that the sftp entries will be seperated out to sftp.log:

 

local6.*                                               /var/log/sftp.log

 

Also added to this file the following lines:

 

:programname, isequal, "internal-sftp" -/var/log/sftp.log
:programname, isequal, "internal-sftp" ~

 

We have followed the recommendations in the following articles:

  https://access.redhat.com/kb/docs/DOC-54004
    
  https://access.redhat.com/kb/docs/DOC-42685
 
But all configurations end with the same results....nothing logged
for the chroot'd sftp user.

 

There does not appear to be anyt Red Hat documentation any more
extensive that what we've posted.  

 

Perhaps a new article is needed to show the details we might be missing ?

 

Thanks

Responses

If you chroot like below 

Match Group sftp
    ChrootDirectory /chroots/%u
        AllowTcpForwarding no
        ForceCommand internal-sftp -f AUTHPRIV -l INFO
        X11Forwarding no

In which user will be chrooted to /chroots/<username> User will not be able to access the /dev, In that case you need to create a /dev/log in every user's home Directory.

/etc/rsyslogd.conf
$AddUnixListenSocket /chroots/user1/dev/log
$AddUnixListenSocket /chroots/user2/dev/log

Also remember to configure SyslogFacility & LogLevel in /etc/ssh/sshd_config as described above.

Does anyone else need help on this discussion? There may be a step missing in the above configs. I got it to work with just simple configs on rsyslog.conf and sshd_config...

Hey Ray, could you post your solution please, thanks a lot.

Hello, I'm looking to implement the sftp log but nothing that I find has helped me completely, have any additional suggestions, I would be very helpful

Hi, in my company, it worked for me:

1)Modify /etc/ssh/sshd_config

Subsystem sftp /usr/lib/openssh/sftp-server -l VERBOSE -f LOCAL0

Match Group sftponly
ChrootDirectory /var/www/html/%u
AllowTcpForwarding no
ForceCommand internal-sftp -f LOCAL0 -l INFO
X11Forwarding no

2) Create the folders /dev in each SFTP home of each user

mkdir /var/www/html/Juan/dev/

mkdir /var/www/html/Pedro/dev/

3) Modify /etc/rsyslog.conf (add lines)

local0.* /var/log/sftp-server.log

$AddUnixListenSocket /var/www/html/Juan/dev/log

$AddUnixListenSocket /var/www/html/Pedro/dev/log

(Note)where, juan and Pedro are folder/home of each SFTP users

3) Restart services

service sshd restart

service rsyslog restart

4) Review that in each folder dev, exist a socket call... log.

ls -la /var/www/html/Juan/dev/

srw-rw-rw-. 1 root root 0 Aug 23 17:03 log

ls -la /var/www/html/Pedro/dev/

srw-rw-rw-. 1 root root 0 Aug 23 17:03 log

5) Review the new events in:

tail -f /var/log/sftp-server.log

Best regard

Hi Juan,

Thanks for this; it worked for me as well. Although I did notice that the socket file 'log' is sometimes not created or not updated when the storage is moved from one node to another. And because of this; no new logs are being written in sftp-server.log even when ssh server is running and accepting connections. A restart of rsyslog solves this issue but I'm not always available to run this command whenever the resources move. Did you face the same problem?

Hi Josly,

How do your resources move from one node to another? Are you using a loadbalancer or Red Hat HA?

  • For Red Hat HA you could add rsyslog as a resource so a failover could trigger a rsyslog restart.

  • Using a loadbalancer, I do not have a suggestion.

Regards,

Jan Gerrit

Is there a way to hide the directory containing the individual user socket? I tried with ".dev" but it did not appear to work. "dev2" worked though, so it's not apparently necessary to be "dev" specifically.

The reason I'd like to hide it is I would prefer for simplicity's sake if chrooted users could only see the "data" directory they are supposed to use.