sftp, syslog level, chrooted users in a jail
Ernie Luzar
luzar722 at gmail.com
Fri Dec 18 21:57:04 UTC 2015
Mike Tancsa wrote:
> I am trying to increase the verbosity of sftp's syslog, but am running
> into a problem because the users are chrooted and ssh is running in a jail.
>
> My setup -- simple qjail with defaults
>
> I have inside, the user
>
> test1sftp:*:1002:1002:User &:/home/test1:/bin/false
>
> and in /etc/ssh/sshd_config I have
>
> Match user *
> ChrootDirectory %h
> ForceCommand internal-sftp -l debug1
> AllowTcpForwarding no
> PermitTunnel no
> X11Forwarding no
>
> /home/test1sftp
>
> # ls -l /home/test1sftp
> total 27
> drwxr-xr-x 5 root wheel uarch 5 Dec 16 10:04 .
> drwxrwxr-x 2 root wheel uarch 4 Dec 16 10:37 dev
> drwxr-xr-x 3 test1sftp test1sftp uarch 6 Dec 16 10:37 uploadhere
>
>
> In the dev directory, if I make
> # ls -l /home/test1sftp/dev/
> total 2
> drwxrwxr-x 2 root wheel uarch 4 Dec 16 10:37 .
> drwxr-xr-x 5 root wheel uarch 5 Dec 16 10:04 ..
> srw-rw-rw- 2 root wheel uarch 0 Dec 16 10:05 log
> srw------- 2 root wheel uarch 0 Dec 16 10:05 logpriv
>
>
>
> ln /var/run/logpriv logpriv
> ln /var/run/log log
>
> I can get it to work.
>
>
> 10:44:58 sshd
> 10:44:58 sshd: Accepted publickey for test1sftp from xxxx port 30534
> ssh2: RSA 51:2e:....
> 10:44:58 sshd: User child is on pid 83522
> 10:44:58 sshd: Changed root directory to "/home/test1sftp"
> 10:44:58 sshd: Starting session: forced-command (config) 'internal-sftp
> -l verbose' for test1sftp from xxx port 30534
> 10:44:58 internal-sftp
> 10:44:58 internal-sftp: received client version 3
> 10:44:58 internal-sftp: realpath "."
> 10:45:00 /usr/sbin/cron: (root) CMD (/usr/libexec/atrun)
> 10:45:02 internal-sftp: realpath "/uploadhere"
> 10:45:02 internal-sftp: stat name "/uploadhere"
> 10:45:04 internal-sftp: opendir "/uploadhere/"
> 10:45:04 internal-sftp: closedir "/uploadhere/"
> 10:45:04 internal-sftp: lstat name "/uploadhere/valid-ip.c"
> 10:45:04 internal-sftp: lstat name "/uploadhere/valid-ip.c"
> 10:45:04 internal-sftp: remove name "/uploadhere/valid-ip.c"
> 10:45:09 internal-sftp: open "/uploadhere/valid-ip.c" flags
> WRITE,CREATE,TRUNCATE mode 0644
> 10:45:09 internal-sftp: close "/uploadhere/valid-ip.c" bytes read 0
> written 615
> 10:45:10 internal-sftp: opendir "/uploadhere"
> 10:45:10 internal-sftp: closedir "/uploadhere"
> 10:45:11 internal-sftp
> 10:45:11 sshd: Received disconnect from xxxx: 11: disconnected by user
>
>
> I have a few hundred users. Apart from creating dev/log hard links for
> every home directory, is there a different way to go about this ?
>
> Are there any security issues I need to be aware of ?
>
> ---Mike
>
Let me be sure I understand your setup correctly, ssh, sftp, and all the
users are defined in the same jail.
In the jail remove ChrootDirectory %h option from sshd_config.
More information about the freebsd-questions
mailing list