- Posted In
- Red Hat Enterprise Linux
We have been working with a customer that has a need to log events for
sftp users that are configured to use a chroot jail environment.
They need to log the commands entered and the files accessed by the
chroot user. Unfortunately all attempts to recreate what has been
done in other non-Red Hat discussions seems to fail. The events are
logged using sftp as long as they don't involved chroot'd users.
As soon as the users login to the chrootdirectory environment, the
logging stops and no errors are recorded so we are assuming there are
no obvious errors in permissions or ownership of chroot'd directories
or files and as per the existing documentation, we cannot find any
errors in configuration. So we can only conclude that either a
step has been ommited or there is some vital code missing.
We have configured both 32 and 64 bit systems running RHES V6.1 with
ssh 5.3p1-52 on the 64 bit system and ssh 5.3p1-70 on the 32 bit system:
# rpm -qa | grep ssh
We have configured /etc/ssh/sshd_config with the appropriate entries
as per the suggested documentaion:
Subsystem sftp internal-sftp -f LOCAL6 -l INFO
Match Group sftponly
ForceCommand internal-sftp -f LOCAL6 -l INFO
And we have added the following line in /etc/rsyslog.conf to ensure
that the sftp entries will be seperated out to sftp.log:
Also added to this file the following lines:
:programname, isequal, "internal-sftp" -/var/log/sftp.log
:programname, isequal, "internal-sftp" ~
We have followed the recommendations in the following articles:
There does not appear to be anyt Red Hat documentation any more
extensive that what we've posted.
Perhaps a new article is needed to show the details we might be missing ?