Date: Sat, 19 Dec 2015 05:57:22 +0800 From: Ernie Luzar <luzar722@gmail.com> To: Mike Tancsa <mike@sentex.net> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: sftp, syslog level, chrooted users in a jail Message-ID: <56748142.4030907@gmail.com> In-Reply-To: <5671882E.3040509@sentex.net> References: <5671882E.3040509@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Tancsa wrote: > I am trying to increase the verbosity of sftp's syslog, but am running > into a problem because the users are chrooted and ssh is running in a jail. > > My setup -- simple qjail with defaults > > I have inside, the user > > test1sftp:*:1002:1002:User &:/home/test1:/bin/false > > and in /etc/ssh/sshd_config I have > > Match user * > ChrootDirectory %h > ForceCommand internal-sftp -l debug1 > AllowTcpForwarding no > PermitTunnel no > X11Forwarding no > > /home/test1sftp > > # ls -l /home/test1sftp > total 27 > drwxr-xr-x 5 root wheel uarch 5 Dec 16 10:04 . > drwxrwxr-x 2 root wheel uarch 4 Dec 16 10:37 dev > drwxr-xr-x 3 test1sftp test1sftp uarch 6 Dec 16 10:37 uploadhere > > > In the dev directory, if I make > # ls -l /home/test1sftp/dev/ > total 2 > drwxrwxr-x 2 root wheel uarch 4 Dec 16 10:37 . > drwxr-xr-x 5 root wheel uarch 5 Dec 16 10:04 .. > srw-rw-rw- 2 root wheel uarch 0 Dec 16 10:05 log > srw------- 2 root wheel uarch 0 Dec 16 10:05 logpriv > > > > ln /var/run/logpriv logpriv > ln /var/run/log log > > I can get it to work. > > > 10:44:58 sshd > 10:44:58 sshd: Accepted publickey for test1sftp from xxxx port 30534 > ssh2: RSA 51:2e:.... > 10:44:58 sshd: User child is on pid 83522 > 10:44:58 sshd: Changed root directory to "/home/test1sftp" > 10:44:58 sshd: Starting session: forced-command (config) 'internal-sftp > -l verbose' for test1sftp from xxx port 30534 > 10:44:58 internal-sftp > 10:44:58 internal-sftp: received client version 3 > 10:44:58 internal-sftp: realpath "." > 10:45:00 /usr/sbin/cron: (root) CMD (/usr/libexec/atrun) > 10:45:02 internal-sftp: realpath "/uploadhere" > 10:45:02 internal-sftp: stat name "/uploadhere" > 10:45:04 internal-sftp: opendir "/uploadhere/" > 10:45:04 internal-sftp: closedir "/uploadhere/" > 10:45:04 internal-sftp: lstat name "/uploadhere/valid-ip.c" > 10:45:04 internal-sftp: lstat name "/uploadhere/valid-ip.c" > 10:45:04 internal-sftp: remove name "/uploadhere/valid-ip.c" > 10:45:09 internal-sftp: open "/uploadhere/valid-ip.c" flags > WRITE,CREATE,TRUNCATE mode 0644 > 10:45:09 internal-sftp: close "/uploadhere/valid-ip.c" bytes read 0 > written 615 > 10:45:10 internal-sftp: opendir "/uploadhere" > 10:45:10 internal-sftp: closedir "/uploadhere" > 10:45:11 internal-sftp > 10:45:11 sshd: Received disconnect from xxxx: 11: disconnected by user > > > I have a few hundred users. Apart from creating dev/log hard links for > every home directory, is there a different way to go about this ? > > Are there any security issues I need to be aware of ? > > ---Mike > Let me be sure I understand your setup correctly, ssh, sftp, and all the users are defined in the same jail. In the jail remove ChrootDirectory %h option from sshd_config.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56748142.4030907>