Red Hat Customer Portal
  • Comments
    • Tags

    How to log internal-sftp chroot jailed users

    Posted on

    We have been working with a customer that has a need to log events for
    sftp users that are configured to use a chroot jail environment.

     

    They need to log the commands entered and the files accessed by the
    chroot user.    Unfortunately all attempts to recreate what has been
    done in other non-Red Hat discussions seems to fail.   The events are
    logged using sftp as long as they don't involved chroot'd users.
    As soon as the users login to the chrootdirectory environment, the
    logging stops and no errors are recorded so we are assuming there are
    no obvious errors in permissions or ownership of chroot'd directories
    or files and as per the existing documentation, we cannot find any
    errors in configuration.    So we can only conclude that either a
    step has been ommited or there is some vital code missing.

     

    We have configured both 32 and 64 bit systems running RHES V6.1 with
    ssh 5.3p1-52 on the 64 bit system and ssh 5.3p1-70 on the 32 bit system:

     

    # rpm -qa | grep ssh
    openssh-clients-5.3p1-52.el6.x86_64
    libssh2-1.2.2-7.el6.x86_64
    openssh-askpass-5.3p1-52.el6.x86_64
    ksshaskpass-0.5.1-4.1.el6.x86_64
    openssh-5.3p1-52.el6.x86_64
    openssh-server-5.3p1-52.el6.x86_64

     

    libssh2-1.2.2-7.el6.i686
    openssh-askpass-5.3p1-70.el6.i686
    ksshaskpass-0.5.1-4.1.el6.i686
    openssh-clients-5.3p1-70.el6.i686
    openssh-server-5.3p1-70.el6.i686
    openssh-5.3p1-70.el6.i686

     

    We have configured /etc/ssh/sshd_config with the appropriate entries
    as per the suggested documentaion:

     

    Subsystem       sftp    internal-sftp -f LOCAL6 -l INFO


    Match Group sftponly
            ChrootDirectory /chroots/%u
            AllowTcpForwarding no
            ForceCommand internal-sftp -f LOCAL6 -l INFO
            X11Forwarding no

     

    And we have added the following line in /etc/rsyslog.conf to ensure
    that the sftp entries will be seperated out to sftp.log:

     

    local6.*                                               /var/log/sftp.log

     

    Also added to this file the following lines:

     

    :programname, isequal, "internal-sftp" -/var/log/sftp.log
    :programname, isequal, "internal-sftp" ~

     

    We have followed the recommendations in the following articles:

      https://access.redhat.com/kb/docs/DOC-54004
        
      https://access.redhat.com/kb/docs/DOC-42685
     
    But all configurations end with the same results....nothing logged
    for the chroot'd sftp user.

     

    There does not appear to be anyt Red Hat documentation any more
    extensive that what we've posted.  

     

    Perhaps a new article is needed to show the details we might be missing ?

     

    Thanks

    by

    points

    Responses

    Red Hat
    © 2025 Red Hat, Inc.