From owner-freebsd-questions@freebsd.org Sat Dec 19 03:11:49 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 32E0CA4BC7E for ; Sat, 19 Dec 2015 03:11:49 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-pf0-x22d.google.com (mail-pf0-x22d.google.com [IPv6:2607:f8b0:400e:c00::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0B60A199C for ; Sat, 19 Dec 2015 03:11:49 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-pf0-x22d.google.com with SMTP id u7so11522933pfb.1 for ; Fri, 18 Dec 2015 19:11:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=6L7YDtlvdtVFw34LYotAERjvPCO4ws8CQmPERfQB6OY=; b=I4zSOi/XhmfkONMIaIR5a3gO/pv2YPoO9JUdxQhuiN/NwaP6bVkVo4quTyoI/514JX JD7paVm6/D6UhvtaKA9SYay78mdCP1/sAcAsQ41C8hdcQZ+2Pol2OABB/KaKljMGQr7K T8wNXrUsfUq0beruzU5FbdMwFV6cOIDfo5auCH4W2GHzjWoRdIx/u0PuWqOu3SCXYwg8 vGwQa2x1Sjxlk+2B3SmV6y244NDFUfZlkdEhO5dY3kjkFcwuWqg0a6RdOWejBGTo8tWl GFfT+Wnru6k088vfOzhV9hPUlKwCo8darclNll38BgFDMTQGpVI1WpAv4YfqE8zXPKS2 4jSA== X-Received: by 10.98.80.144 with SMTP id g16mr10288371pfj.68.1450494708640; Fri, 18 Dec 2015 19:11:48 -0800 (PST) Received: from [192.168.200.7] ([120.29.76.2]) by smtp.googlemail.com with ESMTPSA id 7sm7367487pfn.83.2015.12.18.19.11.46 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 18 Dec 2015 19:11:47 -0800 (PST) Message-ID: <5674CB09.3040000@gmail.com> Date: Sat, 19 Dec 2015 11:12:09 +0800 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: mike tancsa CC: freebsd-questions Subject: Re: sftp, syslog level, chrooted users in a jail References: <5671882E.3040509@sentex.net> <56748142.4030907@gmail.com> <151b73318f0.2765.e68d32c7521a042b3773fe36a0156dc7@sentex.net> In-Reply-To: <151b73318f0.2765.e68d32c7521a042b3773fe36a0156dc7@sentex.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Dec 2015 03:11:49 -0000 >> Mike Tancsa wrote: >>> I am trying to increase the verbosity of sftp's syslog, but am running >>> into a problem because the users are chrooted and ssh is running in a >>> jail. >>> >>> My setup -- simple qjail with defaults >>> >>> I have inside, the user >>> >>> test1sftp:*:1002:1002:User &:/home/test1:/bin/false >>> >>> and in /etc/ssh/sshd_config I have >>> >>> Match user * >>> ChrootDirectory %h >>> ForceCommand internal-sftp -l debug1 >>> AllowTcpForwarding no >>> PermitTunnel no >>> X11Forwarding no >>> >>> /home/test1sftp >>> >>> # ls -l /home/test1sftp >>> total 27 >>> drwxr-xr-x 5 root wheel uarch 5 Dec 16 10:04 . >>> drwxrwxr-x 2 root wheel uarch 4 Dec 16 10:37 dev >>> drwxr-xr-x 3 test1sftp test1sftp uarch 6 Dec 16 10:37 uploadhere >>> >>> >>> In the dev directory, if I make >>> # ls -l /home/test1sftp/dev/ >>> total 2 >>> drwxrwxr-x 2 root wheel uarch 4 Dec 16 10:37 . >>> drwxr-xr-x 5 root wheel uarch 5 Dec 16 10:04 .. >>> srw-rw-rw- 2 root wheel uarch 0 Dec 16 10:05 log >>> srw------- 2 root wheel uarch 0 Dec 16 10:05 logpriv >>> >>> >>> >>> ln /var/run/logpriv logpriv >>> ln /var/run/log log >>> >>> I can get it to work. >>> >>> >>> 10:44:58 sshd >>> 10:44:58 sshd: Accepted publickey for test1sftp from xxxx port 30534 >>> ssh2: RSA 51:2e:.... >>> 10:44:58 sshd: User child is on pid 83522 >>> 10:44:58 sshd: Changed root directory to "/home/test1sftp" >>> 10:44:58 sshd: Starting session: forced-command (config) 'internal-sftp >>> -l verbose' for test1sftp from xxx port 30534 >>> 10:44:58 internal-sftp >>> 10:44:58 internal-sftp: received client version 3 >>> 10:44:58 internal-sftp: realpath "." >>> 10:45:00 /usr/sbin/cron: (root) CMD (/usr/libexec/atrun) >>> 10:45:02 internal-sftp: realpath "/uploadhere" >>> 10:45:02 internal-sftp: stat name "/uploadhere" >>> 10:45:04 internal-sftp: opendir "/uploadhere/" >>> 10:45:04 internal-sftp: closedir "/uploadhere/" >>> 10:45:04 internal-sftp: lstat name "/uploadhere/valid-ip.c" >>> 10:45:04 internal-sftp: lstat name "/uploadhere/valid-ip.c" >>> 10:45:04 internal-sftp: remove name "/uploadhere/valid-ip.c" >>> 10:45:09 internal-sftp: open "/uploadhere/valid-ip.c" flags >>> WRITE,CREATE,TRUNCATE mode 0644 >>> 10:45:09 internal-sftp: close "/uploadhere/valid-ip.c" bytes read 0 >>> written 615 >>> 10:45:10 internal-sftp: opendir "/uploadhere" >>> 10:45:10 internal-sftp: closedir "/uploadhere" >>> 10:45:11 internal-sftp >>> 10:45:11 sshd: Received disconnect from xxxx: 11: disconnected by user >>> >>> >>> I have a few hundred users. Apart from creating dev/log hard links for >>> every home directory, is there a different way to go about this ? >>> >>> Are there any security issues I need to be aware of ? >>> >>> ---Mike >>> >> >> Let me be sure I understand your setup correctly, ssh, sftp, and all the >> users are defined in the same jail. >> >> In the jail remove ChrootDirectory %h option from sshd_config. >> mike tancsa wrote: > Hi, thanks for the reply. Yes, all the users (a few hundred) are all in > one jail. However the users must be chrooted into their own directories > for security reasons. Hence, I cannot remove the chroot option and am > left with the issue of logging > You state "all the users (a few hundred) are all in one jail". Do you mean to say the users are in the SAME jail as ssh and sftp? If that is the case then the ssh ChrootDirectory is inappropriate. It's intended for ssh running on the host and is the cause of your sftp log problems. Your host system is already protected by the ssh jail and the file permissions of the users sftp directories. Over kill is hurting you in this case. It won't hurt to test it out before rejecting it.