From owner-freebsd-questions@freebsd.org Fri Dec 18 21:57:03 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D2734A4B2C5 for ; Fri, 18 Dec 2015 21:57:03 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: from mail-pf0-x231.google.com (mail-pf0-x231.google.com [IPv6:2607:f8b0:400e:c00::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B188B1A65 for ; Fri, 18 Dec 2015 21:57:03 +0000 (UTC) (envelope-from luzar722@gmail.com) Received: by mail-pf0-x231.google.com with SMTP id n128so37464458pfn.0 for ; Fri, 18 Dec 2015 13:57:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=F4o6MuN/nqXd5axm/yzLgWnutISUOU4090Z/+0blV1c=; b=BwQK/FGtfufo0P5DXGg8Fie+dNvNgzD2EPxZiyywlVmQChBREU8+YgFmDp/sH/Bmzo z1xExfCw4WnmKmixvjGU6lYQKSY1av/sLtsxZhZYKdU6uTd6xS1u8bwj5PDXIKsL+oh2 ITcQ3e2BXXqRlXBvrFZr+5hIy+02q1elD8uzlOLxGaab7WWiePRMZdMyMd23ZedKR0t+ luHdZNg2WfMxLp7QQ867dhYkarO5iL05KG+d9jRw9eD74ESMNSnxjsyAoGksX+0VqM/c Ca7+88qn1H1QLrMwEeqVN9q0QQ9/VeaEHM+h3rKbAYuc24GyvOfAntIbecggSMQv5SfK qNCQ== X-Received: by 10.98.16.206 with SMTP id 75mr8588993pfq.23.1450475823302; Fri, 18 Dec 2015 13:57:03 -0800 (PST) Received: from [192.168.200.7] ([120.29.76.2]) by smtp.googlemail.com with ESMTPSA id c63sm19806337pfd.50.2015.12.18.13.57.01 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 18 Dec 2015 13:57:02 -0800 (PST) Message-ID: <56748142.4030907@gmail.com> Date: Sat, 19 Dec 2015 05:57:22 +0800 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) MIME-Version: 1.0 To: Mike Tancsa CC: freebsd-questions Subject: Re: sftp, syslog level, chrooted users in a jail References: <5671882E.3040509@sentex.net> In-Reply-To: <5671882E.3040509@sentex.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2015 21:57:04 -0000 Mike Tancsa wrote: > I am trying to increase the verbosity of sftp's syslog, but am running > into a problem because the users are chrooted and ssh is running in a jail. > > My setup -- simple qjail with defaults > > I have inside, the user > > test1sftp:*:1002:1002:User &:/home/test1:/bin/false > > and in /etc/ssh/sshd_config I have > > Match user * > ChrootDirectory %h > ForceCommand internal-sftp -l debug1 > AllowTcpForwarding no > PermitTunnel no > X11Forwarding no > > /home/test1sftp > > # ls -l /home/test1sftp > total 27 > drwxr-xr-x 5 root wheel uarch 5 Dec 16 10:04 . > drwxrwxr-x 2 root wheel uarch 4 Dec 16 10:37 dev > drwxr-xr-x 3 test1sftp test1sftp uarch 6 Dec 16 10:37 uploadhere > > > In the dev directory, if I make > # ls -l /home/test1sftp/dev/ > total 2 > drwxrwxr-x 2 root wheel uarch 4 Dec 16 10:37 . > drwxr-xr-x 5 root wheel uarch 5 Dec 16 10:04 .. > srw-rw-rw- 2 root wheel uarch 0 Dec 16 10:05 log > srw------- 2 root wheel uarch 0 Dec 16 10:05 logpriv > > > > ln /var/run/logpriv logpriv > ln /var/run/log log > > I can get it to work. > > > 10:44:58 sshd > 10:44:58 sshd: Accepted publickey for test1sftp from xxxx port 30534 > ssh2: RSA 51:2e:.... > 10:44:58 sshd: User child is on pid 83522 > 10:44:58 sshd: Changed root directory to "/home/test1sftp" > 10:44:58 sshd: Starting session: forced-command (config) 'internal-sftp > -l verbose' for test1sftp from xxx port 30534 > 10:44:58 internal-sftp > 10:44:58 internal-sftp: received client version 3 > 10:44:58 internal-sftp: realpath "." > 10:45:00 /usr/sbin/cron: (root) CMD (/usr/libexec/atrun) > 10:45:02 internal-sftp: realpath "/uploadhere" > 10:45:02 internal-sftp: stat name "/uploadhere" > 10:45:04 internal-sftp: opendir "/uploadhere/" > 10:45:04 internal-sftp: closedir "/uploadhere/" > 10:45:04 internal-sftp: lstat name "/uploadhere/valid-ip.c" > 10:45:04 internal-sftp: lstat name "/uploadhere/valid-ip.c" > 10:45:04 internal-sftp: remove name "/uploadhere/valid-ip.c" > 10:45:09 internal-sftp: open "/uploadhere/valid-ip.c" flags > WRITE,CREATE,TRUNCATE mode 0644 > 10:45:09 internal-sftp: close "/uploadhere/valid-ip.c" bytes read 0 > written 615 > 10:45:10 internal-sftp: opendir "/uploadhere" > 10:45:10 internal-sftp: closedir "/uploadhere" > 10:45:11 internal-sftp > 10:45:11 sshd: Received disconnect from xxxx: 11: disconnected by user > > > I have a few hundred users. Apart from creating dev/log hard links for > every home directory, is there a different way to go about this ? > > Are there any security issues I need to be aware of ? > > ---Mike > Let me be sure I understand your setup correctly, ssh, sftp, and all the users are defined in the same jail. In the jail remove ChrootDirectory %h option from sshd_config.