sshd and chroot logging

Hello Guys,
I have successfully compiled and make run openssh-5.0p1 on linux Red
Hat Enterprise Linux ES release 3 ( 2.4.21-50.ELsmp ).

Port 22
ListenAddress 0.0.0.0
Protocol 2
SyslogFacility DAEMON
LogLevel DEBUG
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6
PasswordAuthentication yes

Subsystem sftp internal-sftp

Match user test
ForceCommand internal-sftp
ChrootDirectory /chrootsftp/test
X11Forwarding no
AllowTcpForwarding no

My goal is to have sshd chroot particular users and log their file
transfers. Information about who, when and from what IP is not enough
for my spec.

I was trying change sshd_config in so many ways (mainly Subsystem and
Match sections) but apparently you can not specify any -l or -f
arguments after internal-sftp. Apparently, "Subsystem sftp
internal-sftp" does not have to exist at all having just one user and
having it matched against "Match" directive.

Having
ForceCommand /usr/libexec/openssh/sftp-server -l VERBOSE
doesn't allow for sftp connections at all.

What would be the major difference between "internal-sftp" and
/usr/libexec/openssh/sftp-server? Does "internal-sftp" invoke a sftp
subsystem which is a part of sshd binary or it still passes
transaction back to sftp_server but just allows to chroot it?
Documentation of sshd_config directives reads:

"Alternately the name ``internal-sftp'' implements an in-process
'sftp' server. This may simplify configurations using ChrootDirectory
to force a different file system root on clients."

Does it mean that you can have either normal sftp subsystem with
logging (sftp-server) or chrooted sftp but without logging
(internal-sftp)?

I was also trying to play with /chrootsftp/test/dev/log and hard
linking it to /dev/log (adding
additional socket during syslog start) but it seems natural that it
doesn't work as this is
non-interactive chrooted environment (just sftp).

I am really stumped at this point and wondering if that may be
archived at all? I really count on someone explain to me all these
questions as I went through possibly every possible subject on google
regarding that problem, not finding a definitive answer to it. I
suppose "the source" could sort my doubts out :D

Cheers Sim.

Relevant Pages

  • sftp server with internal-sftp plus chrootdirectory
    ... I want to setup a sftp ONLY server using openssh with internal-sftp ... The sftp does work fine. ... internal-sftp and chrootdirectory, the ssh session will hang, same ...
    (SSH)
  • sftp server with chrootdirectory setup
    ... I want to setup a sftp ONLY server using openssh with internal-sftp ... The sftp does work fine. ... internal-sftp and chrootdirectory, the ssh session will hang, same ... I have tried openssh version 4.9, 5.0, 5.1. ...
    (comp.security.ssh)
  • sftp and restricted shell
    ... I want to use sftp to transfer file to an account ... debug1: session_input_channel_req: session 0 req subsystem ... subsystem request for sftp failed, ...
    (comp.security.ssh)
  • Re: ssh version 2 "subsystems"
    ... process on the remote server and interact with that process wihtout ... Typically the program invoked by a subsystem is a server designed to ... invoke the "sftp" subsystem by hand, ...
    (comp.security.ssh)
  • OpenSSH 5.0p1 / sftp / chroot / umask
    ... I'm running OpenSSH 5.0p1 under Debian Etch. ... My 'chrooted' sftp is working, but I would like to know how to set the ... ChrootDirectory %h ... the umask isn't what I want. ...
    (SSH)