OpenSSH internal-sftp chroot logging on Ubuntu

I’m putting this here mainly to store it for myself, so these are going to be rough notes until I have time or inclination to review and edit this post.

Note: this solution was formulated on a server running Ubuntu Server 14.04 LTS

To setup sftp chroot directories for sftp-only users, and yet still log all actions & transfers like a “xferlog”, you need to somehow get the chrooted user to be allowed to write log data into the main syslog daemon.

First of all, you need the following in your sshd_config, and make certain to pay attention to the “ForceCommand” line, as I was missing that at first, and therefore, you are not changing the logging for the chroot users, just the non-chroot users:

Subsystem sftp internal-sftp -l VERBOSE -f LOCAL6

# Next section restricts users in sftpusers group to chrootDirectory

Match Group sftpusers
  ChrootDirectory %h
  ForceCommand internal-sftp -u 002 -l VERBOSE -f LOCAL6
  AllowTcpForwarding no
  PermitTunnel no
  X11Forwarding no

Now, you want to have a line like this in your /etc/rsyslog.d/50-default.conf or other /etc/rsyslog.d/*.conf file, in order to direct the sftp verbose logs to a specific file:

local6.*			/var/log/sftp.log

Then, you have a couple of options on how to proceed. The first way I got working was to add another listening socket in the rsyslogd config, with this line:

$AddUnixListenSocket /home/username/dev/log

You could also use this method:

mkdir /home/username/dev
touch /home/username/dev/log
chmod 511 /home/username/dev
chattr +i /home/username/dev
mount --bind /dev/log /home/username/dev/log

Either one should work for you – the question is how you want to handle the situation, especially if you have either a large number of users, or a constantly changing user base; you’ll have to orchestrate either adding the special mount point and then having a lot of extra mounts, or adding a lot of extra listening socket files in rsyslogd. I leave it to you to decide which is better for your situation.

I also saw a method that didn’t work for me, but was for HP-UX, and might work for Solaris, too, over here: http://community.hpe.com/t5/Security/ssh-subsystem-internal-sftp-chroot-and-logging/td-p/5272802

Leave a Reply

Your email address will not be published. Required fields are marked *