sftp, syslog level, chrooted users in a jail
Mike Tancsa
mike at sentex.net
Wed Dec 16 15:50:09 UTC 2015
I am trying to increase the verbosity of sftp's syslog, but am running
into a problem because the users are chrooted and ssh is running in a jail.
My setup -- simple qjail with defaults
I have inside, the user
test1sftp:*:1002:1002:User &:/home/test1:/bin/false
and in /etc/ssh/sshd_config I have
Match user *
ChrootDirectory %h
ForceCommand internal-sftp -l debug1
AllowTcpForwarding no
PermitTunnel no
X11Forwarding no
/home/test1sftp
# ls -l /home/test1sftp
total 27
drwxr-xr-x 5 root wheel uarch 5 Dec 16 10:04 .
drwxrwxr-x 2 root wheel uarch 4 Dec 16 10:37 dev
drwxr-xr-x 3 test1sftp test1sftp uarch 6 Dec 16 10:37 uploadhere
In the dev directory, if I make
# ls -l /home/test1sftp/dev/
total 2
drwxrwxr-x 2 root wheel uarch 4 Dec 16 10:37 .
drwxr-xr-x 5 root wheel uarch 5 Dec 16 10:04 ..
srw-rw-rw- 2 root wheel uarch 0 Dec 16 10:05 log
srw------- 2 root wheel uarch 0 Dec 16 10:05 logpriv
ln /var/run/logpriv logpriv
ln /var/run/log log
I can get it to work.
10:44:58 sshd
10:44:58 sshd: Accepted publickey for test1sftp from xxxx port 30534
ssh2: RSA 51:2e:....
10:44:58 sshd: User child is on pid 83522
10:44:58 sshd: Changed root directory to "/home/test1sftp"
10:44:58 sshd: Starting session: forced-command (config) 'internal-sftp
-l verbose' for test1sftp from xxx port 30534
10:44:58 internal-sftp
10:44:58 internal-sftp: received client version 3
10:44:58 internal-sftp: realpath "."
10:45:00 /usr/sbin/cron: (root) CMD (/usr/libexec/atrun)
10:45:02 internal-sftp: realpath "/uploadhere"
10:45:02 internal-sftp: stat name "/uploadhere"
10:45:04 internal-sftp: opendir "/uploadhere/"
10:45:04 internal-sftp: closedir "/uploadhere/"
10:45:04 internal-sftp: lstat name "/uploadhere/valid-ip.c"
10:45:04 internal-sftp: lstat name "/uploadhere/valid-ip.c"
10:45:04 internal-sftp: remove name "/uploadhere/valid-ip.c"
10:45:09 internal-sftp: open "/uploadhere/valid-ip.c" flags
WRITE,CREATE,TRUNCATE mode 0644
10:45:09 internal-sftp: close "/uploadhere/valid-ip.c" bytes read 0
written 615
10:45:10 internal-sftp: opendir "/uploadhere"
10:45:10 internal-sftp: closedir "/uploadhere"
10:45:11 internal-sftp
10:45:11 sshd: Received disconnect from xxxx: 11: disconnected by user
I have a few hundred users. Apart from creating dev/log hard links for
every home directory, is there a different way to go about this ?
Are there any security issues I need to be aware of ?
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the freebsd-questions
mailing list