[scponly] scponly and sftp-logging patch possible?

Mike Kriz Mike.Kriz at INFOCISION.COM
Thu Jul 28 11:18:44 EDT 2005 

I updated openssh and the patch, I am now running openssh version 4.1,
and the newest sftp-logging patch.  I have the same symptoms, however. 

I just tested chmod, and it seems permission is denied regardless of the
setting specified in sshd_config.  Which is OK, but not sure what it
proves...

As for the socket, I did originally create a dev/log socket and add it
manually to syslog-ng.  However when it did not work without chrooting
either, I determined that wasn't the issue as you mentioned.

I contacted the author of the sftp-logging patch, but unfortunately have
not heard from him.

Since I do have it working with bash and other shells, I really believe
it to be some sort of scponly configuration issue.  However, there seems
to be no config options for scponly, other then the debuglevel?

Any other advice?  Thanks!    


-----Original Message-----
From: Ralf Durkee [mailto:rd at rd1.net] 
Sent: Thursday, July 28, 2005 10:43 AM
To: Mike Kriz
Cc: scponly at lists.ccs.neu.edu
Subject: Re: [scponly] scponly and sftp-logging patch possible?

You're going to need to create the appropriate syslog socket for the 
chrooted environment such as dev/log, but sounds like you have another 
problem since it's not logging in the non-chrooted environment.  Are the

other features of the patch such as no chmod no chown working? If they 
are, then maybe there's something in the environment like a variable 
being required for the logging. There was a recent fix to the patch for 
environment variables. You may want to contact the author.

[ from http://sftplogging.sourceforge.net/ ]
June 23, 2005: openssh-4.0p1.sftplogging-v1.4.patch released which 
handles null values in environment variables. use this version if you're

compiling on solaris. You may also use it on any other system, if you 
wish, although not necessary.


-- Ralf Durkee, CISSP, GSEC, GCIH
Principal Consultant
585-624-9551
http://rd1.net


Mike Kriz wrote:
> I am trying to find a way to provide an SFTP server, but I also need
to 
> have verbose logging of all file transfers.  I have installed the 
> sftp-logging patch, and it works great, but only if the user's shell
is 
> set to bash (or other system shells).  I would like to have these
users 
> ideally chrooted with scponly as the shell, but still have the verbose

> logs of all file transfers.
> 
>  
> 
> I am able to get a working chroot environment with scponlyc, however
the 
> only log entries I get are logins and logouts.  I thought it might be
an 
> issue with having a chroot, but I also get no logging with the non 
> chrooted version of scponly.  Anyone have any ideas?
> 
> I am running Gentoo Linux on x86.  My sshd_config sftp-logging
section:
> 
>  
> 
> LogSftp yes
> 
> SftpLogfacility AUTH
> 
> SftpLogLevel VERBOSE
> 
> SftpUmask 022
> 
> SftpPermitChmod no
> 
> SftpPermitChown no
> 

> 
> *Mike Kriz*
> Systems Engineer
> Infocision Management - Enterprise Systems

More information about the scponly mailing list