Re: sftp-server logging under chroot & privilege separation



It might be an issue with /dev/log not existing in the chrooted
environment.

If you are running syslog-ng, you could tell it to open a second
Unix domain dgram socket. ("unix-dgram(/chroot/path/dev/log);")

On Mon, Mar 8, 2010 at 9:53 AM, <kjh26@xxxxxxxxxxxx> wrote:
Hello:

We are using OpenSSH 5.3p1.

We are using this to host an SFTP drop-box.  We have implemented chroot &
privilege separation.

For corporate security reasons, we are running sshd as an application ID
setuid root (long story - don't want to go into it here)

The issue we are noting is that we 'lose' SFTP logging of commands when
sshd is run normally.

When we run it in DEBUG, we see the SFTP commands in the log.

We suspected the chrooting/priv sep had something to do with it, however,
changing the sftp-server to be setuid root did not fix the issue.

Any ideas?


Thanks


Kevin J. Herman
Sr. Systems Analyst
EBMX [Electronic Business Message eXchange]
ITM - Procurement Systems

T/L 776-6793
O/L (248)576-6793
FAX (248)576-2185

CTC E3000-3S2E8
CIMS 483-01-19
LOC/DEPT: 1100-1721





--
And, did Galoka think the Ulus were too ugly to save?
-Centauri



Relevant Pages

  • sftp-server logging under chroot & privilege separation
    ... We are using this to host an SFTP drop-box. ... We have implemented chroot & ... When we run it in DEBUG, we see the SFTP commands in the log. ... Systems Analyst ...
    (SSH)
  • internal-sftp: client unable to initialise server with chrooted user
    ... - smartcard: Enables smartcard support ... The problem is when trying to use sftp in an internal-sftp chroot, ... Fatal: unable to initialise SFTP on server: could not connect. ...
    (SSH)
  • Re: Best SFTP (w/chroot): vsftpd vs mysecureshell vs other ??
    ... The obvious answer was to use SSH and limit those users to SFTP only. ... Locking them into a chroot was not a requirement, but it seemed like a good idea to me. ... For some reason which I cannot work out for now, the home directory must be owned by root and have the permissions 755. ...
    (Debian-User)
  • Re: sftp server with speed throttling
    ... configuration work or pass sftp traffic through PF and throttle it ... Only OpenSSH alternative I use sometimes is ... would like to use SSH for the connections, as opposed to FTP, but I ... directives to chroot the groupand/or userthat are to have ...
    (freebsd-questions)
  • Re: Want unusual config...
    ... > SFTP in using sftp-server, and have their home directory appear to be the ... > there is no reason for them to need shell access to the server. ... You may need a chroot cage. ... chroot tools built into it, you can easily manage quite a secure little set ...
    (comp.security.ssh)