From owner-freebsd-questions@freebsd.org Fri Dec 18 22:26:00 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CCA35A4C542 for ; Fri, 18 Dec 2015 22:26:00 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "smarthost.sentex.ca", Issuer "smarthost.sentex.ca" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id AA7B11D5B for ; Fri, 18 Dec 2015 22:26:00 +0000 (UTC) (envelope-from mike@sentex.net) Received: from vinyl4.sentex.ca (vinyl4.sentex.ca [64.7.153.17]) by smarthost1.sentex.ca (8.15.2/8.15.2) with ESMTPS id tBIMQ0uq084969 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 18 Dec 2015 17:26:00 -0500 (EST) (envelope-from mike@sentex.net) Received: from [192.168.1.206] (cage.simianscience.com [64.7.134.1]) (authenticated bits=0) by vinyl4.sentex.ca (8.15.2/8.15.2) with ESMTPA id tBIMPwOm027189; Fri, 18 Dec 2015 17:25:58 -0500 (EST) (envelope-from mike@sentex.net) From: mike tancsa To: Ernie Luzar CC: "freebsd-questions" Date: Fri, 18 Dec 2015 17:25:58 -0500 Message-ID: <151b73318f0.2765.e68d32c7521a042b3773fe36a0156dc7@sentex.net> In-Reply-To: <56748142.4030907@gmail.com> References: <5671882E.3040509@sentex.net> <56748142.4030907@gmail.com> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 AquaMail/1.5.9.14 (build: 22000040) Subject: Re: sftp, syslog level, chrooted users in a jail MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.75 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2015 22:26:01 -0000 Hi, thanks for the reply. Yes, all the users (a few hundred) are all in one jail. However the users must be chrooted into their own directories for security reasons. Hence, I cannot remove the chroot option and am left with the issue of logging On December 18, 2015 4:57:11 PM Ernie Luzar wrote: > Mike Tancsa wrote: >> I am trying to increase the verbosity of sftp's syslog, but am running >> into a problem because the users are chrooted and ssh is running in a jail. >> >> My setup -- simple qjail with defaults >> >> I have inside, the user >> >> test1sftp:*:1002:1002:User &:/home/test1:/bin/false >> >> and in /etc/ssh/sshd_config I have >> >> Match user * >> ChrootDirectory %h >> ForceCommand internal-sftp -l debug1 >> AllowTcpForwarding no >> PermitTunnel no >> X11Forwarding no >> >> /home/test1sftp >> >> # ls -l /home/test1sftp >> total 27 >> drwxr-xr-x 5 root wheel uarch 5 Dec 16 10:04 . >> drwxrwxr-x 2 root wheel uarch 4 Dec 16 10:37 dev >> drwxr-xr-x 3 test1sftp test1sftp uarch 6 Dec 16 10:37 uploadhere >> >> >> In the dev directory, if I make >> # ls -l /home/test1sftp/dev/ >> total 2 >> drwxrwxr-x 2 root wheel uarch 4 Dec 16 10:37 . >> drwxr-xr-x 5 root wheel uarch 5 Dec 16 10:04 .. >> srw-rw-rw- 2 root wheel uarch 0 Dec 16 10:05 log >> srw------- 2 root wheel uarch 0 Dec 16 10:05 logpriv >> >> >> >> ln /var/run/logpriv logpriv >> ln /var/run/log log >> >> I can get it to work. >> >> >> 10:44:58 sshd >> 10:44:58 sshd: Accepted publickey for test1sftp from xxxx port 30534 >> ssh2: RSA 51:2e:.... >> 10:44:58 sshd: User child is on pid 83522 >> 10:44:58 sshd: Changed root directory to "/home/test1sftp" >> 10:44:58 sshd: Starting session: forced-command (config) 'internal-sftp >> -l verbose' for test1sftp from xxx port 30534 >> 10:44:58 internal-sftp >> 10:44:58 internal-sftp: received client version 3 >> 10:44:58 internal-sftp: realpath "." >> 10:45:00 /usr/sbin/cron: (root) CMD (/usr/libexec/atrun) >> 10:45:02 internal-sftp: realpath "/uploadhere" >> 10:45:02 internal-sftp: stat name "/uploadhere" >> 10:45:04 internal-sftp: opendir "/uploadhere/" >> 10:45:04 internal-sftp: closedir "/uploadhere/" >> 10:45:04 internal-sftp: lstat name "/uploadhere/valid-ip.c" >> 10:45:04 internal-sftp: lstat name "/uploadhere/valid-ip.c" >> 10:45:04 internal-sftp: remove name "/uploadhere/valid-ip.c" >> 10:45:09 internal-sftp: open "/uploadhere/valid-ip.c" flags >> WRITE,CREATE,TRUNCATE mode 0644 >> 10:45:09 internal-sftp: close "/uploadhere/valid-ip.c" bytes read 0 >> written 615 >> 10:45:10 internal-sftp: opendir "/uploadhere" >> 10:45:10 internal-sftp: closedir "/uploadhere" >> 10:45:11 internal-sftp >> 10:45:11 sshd: Received disconnect from xxxx: 11: disconnected by user >> >> >> I have a few hundred users. Apart from creating dev/log hard links for >> every home directory, is there a different way to go about this ? >> >> Are there any security issues I need to be aware of ? >> >> ---Mike >> > > Let me be sure I understand your setup correctly, ssh, sftp, and all the > users are defined in the same jail. > > In the jail remove ChrootDirectory %h option from sshd_config. >