Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 16 Dec 2015 10:50:06 -0500
From:      Mike Tancsa <mike@sentex.net>
To:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   sftp, syslog level, chrooted users in a jail
Message-ID:  <5671882E.3040509@sentex.net>
next in thread | raw e-mail | index | archive | help 
I am trying to increase the verbosity of sftp's syslog, but am running
into a problem because the users are chrooted and ssh is running in a jail.

My setup -- simple qjail with defaults

I have inside, the user

test1sftp:*:1002:1002:User &:/home/test1:/bin/false

and in /etc/ssh/sshd_config I have

Match user *
   ChrootDirectory %h
   ForceCommand internal-sftp -l debug1
   AllowTcpForwarding no
   PermitTunnel no
   X11Forwarding no

/home/test1sftp

# ls -l /home/test1sftp
total 27
drwxr-xr-x    5 root       wheel      uarch   5 Dec 16 10:04 .
drwxrwxr-x    2 root       wheel      uarch   4 Dec 16 10:37 dev
drwxr-xr-x    3 test1sftp  test1sftp  uarch   6 Dec 16 10:37 uploadhere


In the dev directory, if I make
# ls -l /home/test1sftp/dev/
total 2
drwxrwxr-x  2 root  wheel  uarch 4 Dec 16 10:37 .
drwxr-xr-x  5 root  wheel  uarch 5 Dec 16 10:04 ..
srw-rw-rw-  2 root  wheel  uarch 0 Dec 16 10:05 log
srw-------  2 root  wheel  uarch 0 Dec 16 10:05 logpriv



ln /var/run/logpriv logpriv
ln /var/run/log log

I can get it to work.


10:44:58  sshd
10:44:58  sshd: Accepted publickey for test1sftp from xxxx port 30534
ssh2: RSA 51:2e:....
10:44:58  sshd: User child is on pid 83522
10:44:58  sshd: Changed root directory to "/home/test1sftp"
10:44:58  sshd: Starting session: forced-command (config) 'internal-sftp
-l verbose' for test1sftp from xxx  port 30534
10:44:58  internal-sftp
10:44:58  internal-sftp: received client version 3
10:44:58  internal-sftp: realpath "."
10:45:00  /usr/sbin/cron: (root) CMD (/usr/libexec/atrun)
10:45:02  internal-sftp: realpath "/uploadhere"
10:45:02  internal-sftp: stat name "/uploadhere"
10:45:04  internal-sftp: opendir "/uploadhere/"
10:45:04  internal-sftp: closedir "/uploadhere/"
10:45:04  internal-sftp: lstat name "/uploadhere/valid-ip.c"
10:45:04  internal-sftp: lstat name "/uploadhere/valid-ip.c"
10:45:04  internal-sftp: remove name "/uploadhere/valid-ip.c"
10:45:09  internal-sftp: open "/uploadhere/valid-ip.c" flags
WRITE,CREATE,TRUNCATE mode 0644
10:45:09  internal-sftp: close "/uploadhere/valid-ip.c" bytes read 0
written 615
10:45:10  internal-sftp: opendir "/uploadhere"
10:45:10  internal-sftp: closedir "/uploadhere"
10:45:11  internal-sftp
10:45:11  sshd: Received disconnect from xxxx: 11: disconnected by user


I have a few hundred users. Apart from creating dev/log hard links for
every home directory, is there a different way to go about this ?

Are there any security issues I need to be aware of ?

	---Mike







-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5671882E.3040509>