Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 19 Dec 2015 05:57:22 +0800
From:      Ernie Luzar <luzar722@gmail.com>
To:        Mike Tancsa <mike@sentex.net>
Cc:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: sftp, syslog level, chrooted users in a jail
Message-ID:  <56748142.4030907@gmail.com>
In-Reply-To: <5671882E.3040509@sentex.net>
References:  <5671882E.3040509@sentex.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Mike Tancsa wrote:
> I am trying to increase the verbosity of sftp's syslog, but am running
> into a problem because the users are chrooted and ssh is running in a jail.
> 
> My setup -- simple qjail with defaults
> 
> I have inside, the user
> 
> test1sftp:*:1002:1002:User &:/home/test1:/bin/false
> 
> and in /etc/ssh/sshd_config I have
> 
> Match user *
>    ChrootDirectory %h
>    ForceCommand internal-sftp -l debug1
>    AllowTcpForwarding no
>    PermitTunnel no
>    X11Forwarding no
> 
> /home/test1sftp
> 
> # ls -l /home/test1sftp
> total 27
> drwxr-xr-x    5 root       wheel      uarch   5 Dec 16 10:04 .
> drwxrwxr-x    2 root       wheel      uarch   4 Dec 16 10:37 dev
> drwxr-xr-x    3 test1sftp  test1sftp  uarch   6 Dec 16 10:37 uploadhere
> 
> 
> In the dev directory, if I make
> # ls -l /home/test1sftp/dev/
> total 2
> drwxrwxr-x  2 root  wheel  uarch 4 Dec 16 10:37 .
> drwxr-xr-x  5 root  wheel  uarch 5 Dec 16 10:04 ..
> srw-rw-rw-  2 root  wheel  uarch 0 Dec 16 10:05 log
> srw-------  2 root  wheel  uarch 0 Dec 16 10:05 logpriv
> 
> 
> 
> ln /var/run/logpriv logpriv
> ln /var/run/log log
> 
> I can get it to work.
> 
> 
> 10:44:58  sshd
> 10:44:58  sshd: Accepted publickey for test1sftp from xxxx port 30534
> ssh2: RSA 51:2e:....
> 10:44:58  sshd: User child is on pid 83522
> 10:44:58  sshd: Changed root directory to "/home/test1sftp"
> 10:44:58  sshd: Starting session: forced-command (config) 'internal-sftp
> -l verbose' for test1sftp from xxx  port 30534
> 10:44:58  internal-sftp
> 10:44:58  internal-sftp: received client version 3
> 10:44:58  internal-sftp: realpath "."
> 10:45:00  /usr/sbin/cron: (root) CMD (/usr/libexec/atrun)
> 10:45:02  internal-sftp: realpath "/uploadhere"
> 10:45:02  internal-sftp: stat name "/uploadhere"
> 10:45:04  internal-sftp: opendir "/uploadhere/"
> 10:45:04  internal-sftp: closedir "/uploadhere/"
> 10:45:04  internal-sftp: lstat name "/uploadhere/valid-ip.c"
> 10:45:04  internal-sftp: lstat name "/uploadhere/valid-ip.c"
> 10:45:04  internal-sftp: remove name "/uploadhere/valid-ip.c"
> 10:45:09  internal-sftp: open "/uploadhere/valid-ip.c" flags
> WRITE,CREATE,TRUNCATE mode 0644
> 10:45:09  internal-sftp: close "/uploadhere/valid-ip.c" bytes read 0
> written 615
> 10:45:10  internal-sftp: opendir "/uploadhere"
> 10:45:10  internal-sftp: closedir "/uploadhere"
> 10:45:11  internal-sftp
> 10:45:11  sshd: Received disconnect from xxxx: 11: disconnected by user
> 
> 
> I have a few hundred users. Apart from creating dev/log hard links for
> every home directory, is there a different way to go about this ?
> 
> Are there any security issues I need to be aware of ?
> 
> 	---Mike
> 

Let me be sure I understand your setup correctly, ssh, sftp, and all the 
users are defined in the same jail.

In the jail remove  ChrootDirectory %h option from sshd_config.




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?56748142.4030907>