SFTP logging for Chroot on CentOS 6.2 with openssh-5.3 not working (internal-sftp)
Hello all, and, thanks in advance for any replies.
I did search for this topic on this forum, and with google. I found some promising information, but, I have not been able to get this to work yet.
I'm hoping for some help getting SFTP logging detail to /var/log/sftp.log, for Chrooted users.
I've been able to get the jailed chroot working, but when I sftp a file, the only logs I see are in the /var/log/secure file, and they only include authentication information, like:
Aug 29 10:07:40 superbadjr sshd[25120]: Accepted password for ...
Aug 29 10:07:40 superbadjr sshd[25120]: pam_unix(sshd:session): session opened for user...
Aug 29 10:07:40 superbadjr sshd[25122]: subsystem request for sftp
Aug 29 10:08:40 superbadjr sshd[25120]: pam_unix(sshd:session): session closed for user...
I would like for the sftp.log file to include the open and close log entries, like:
Aug 28 11:26:20 superbadjr internal-sftp[30116]: open "/var/ftp/sftproot/wegener/status.txt" flags WRITE,CREATE,TRUNCATE mode 0666
Aug 28 11:26:20 superbadjr internal-sftp[30116]: close "/var/ftp/sftproot/wegener/status.txt" bytes read 0 written 293825
Note -- non-chrooted users log to the sftp.log file just fine.
Here's the changes I've made to the /etc/ssh/sshd_config file:
#Subsystem sftp /usr/libexec/openssh/sftp-server -l INFO -f AUTH
Subsystem sftp internal-sftp -l INFO -f AUTH
Match Group sftponly
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Note - the home directory I'm using for the above "%h" is /var/ftp/sftproot
Here's the changes I've made to /etc/rsyslog.conf:
auth.info /var/log/sftp.log
# Create an additional socket for some of the sshd chrooted users:
$AddUnixListenSocket /var/ftp/sftproot/dev/log
Note - I did create the /var/ftp/sftproot/dev directory, and, the "log" socket did get created upon restarting the rsyslog service.
If there is any further information I could provide to help, please let me know.
Again, thanks for any replies.
|