[scponly] scponly and sftp-logging patch possible?

Kaleb Pederson kpederson at mail.ewu.edu
Fri Jul 29 15:27:12 EDT 2005 

Hmmm.  Looks like I might have sent you off on a wild goose chase.  The 
sftp-logging patch and scponly aren't going to work together right now.  When 
patched, the sftp server issues the following:

    if (getenv("LOG_SFTP") && atoi(getenv("LOG_SFTP")) == 1)
    {
        permit_logging = 1;
        log_init("sftp-server", atoi(getenv("SFTP_LOG_LEVEL")),
            atoi(getenv("SFTP_LOG_FACILITY")), 0);
    };

Thus, it is using the environment variables which are expected to be there. 
From the strace you provided, scponly doesn't pass that along (third 
parameter):

execve("/usr/sbin/sftp-server", ["/usr/sbin/sftp-server"], [/* 0 vars */]) = 0

But, scponly does have enough information:

execve("/usr/local/bin/scponly", ["scponly", "-c", 
"/usr/lib/misc/sftp-server"], [/* 14 vars */]) = 0

So, the following patch to scponly-4.0 might work for you:

/* start patch */
--- scponly.c.orig      2005-07-29 12:21:44.000000000 -0700
+++ scponly.c   2005-07-29 12:22:06.000000000 -0700
@@ -519,9 +519,9 @@
                }
                else
 #endif
                {
-                       retval=execve(av[0],av,NULL);
+                       retval=execve(av[0],av,env);
                }
                syslog(LOG_ERR, "failed: %s with error %s(%u) (%s)", 
flat_request, strerror(errno), errno, logstamp());
                free(flat_request);
                discard_vector(av);
/* end patch */

I'm not sure how much this might be a security risk or not.  If you, like me, 
are only allowing sftp (not scp or anything of the like) then I don't see it 
really being an issue, but I'm not the expert and would request feedback from 
others as well.

Note that if you were to enable WINSCP compatibility mode, the environment 
would automatically be passed along without the patch being necessary.

I defer to others for the final solution, although the above will probably 
work for your needs.

--Kaleb



On Friday 29 July 2005 8:35 am, Mike Kriz wrote:
> Actually, it seems scponly is trying to write the log commands, but to
> file handler (2), which seems to not be the right place.  (2) is the
> result of dup2(9,2).
>
> Bash logs to the proper handle for /dev/log.  Could this be the source
> of the issue?
>
>
> Mike Kriz
> Systems Engineer
> Infocision Management - Enterprise Systems
>
> -----Original Message-----
> From: Mike Kriz
> Sent: Friday, July 29, 2005 10:13 AM
> To: scponly at lists.ccs.neu.edu
> Subject: RE: [scponly] scponly and sftp-logging patch possible?
>
> OK, here are my findings.  I ran the strace on both an account using
> scponly (non chrooted), and also an account using bash (where the
> logging is working correctly).
>
> Looking at the traces, the only thing interesting is a failed file open
> to /dev/log, but then it is followed by a successful open, so I think
> it's just trying to open it two different ways.  This is common in both
> sets of logs.
>
> I'm starting to think this may have something to do with environment
> variables after all.  I looked at the code for the sftp-logging patch,
> and it seems to default to logging being off if it can not read the
> variables from the environment.  Is it possible the scponly shell is
> somehow not handling these variables?  Is there a way to check?
>
> My thoughts are not that it doesn't even know it is supposed to log
> because it is not reading and passing the options properly.\
>
> Anyone have any thoughts on this?  I have attached the strace log files
> for both sessions if anyone would like to examine them.
>
>
> Mike Kriz
> Systems Engineer
> Infocision Management - Enterprise Systems
>
> -----Original Message-----
> From: Kaleb Pederson [mailto:kpederson at mail.ewu.edu]
> Sent: Thursday, July 28, 2005 6:46 PM
> To: scponly at lists.ccs.neu.edu
> Cc: Mike Kriz
> Subject: Re: [scponly] scponly and sftp-logging patch possible?
>
> There are all sorts of things that could be affecting it.  I took a look
>
> briefly at the sftp logging patch, and it doesn't look like there is
> anything
> there that wouldn't work with scponly if the chroot is setup correctly.
>
> I would suggest you run strace on the server against the ssh process
> that is
> connecting.  You can then tell exactly which system calls are failing
> (with
> respect to logging) and should be able to figure out what's going on.
>
> I usually use something like this [ in this sequence ]:
>
> # from the client
> $ sftp username at hostname
> [prompts for password ... I don't enter it yet]
>
> # from the server
> $ ps -Af | grep -i username
> root     10206 16786  0 15:41 ?        00:00:00 sshd: username [priv]
> sshd     10207 10206  0 15:41 ?        00:00:00 sshd: username [net]
> root     10215 18650  0 15:42 pts/2    00:00:00 grep -i username
>
> # still on server, now knowing PIDs
> $ strace -o sftp.log -f -ff -p 10206
> # make sure you substitute the right PID above
>
> # from the client
> [ finish entering password ]
> [ execute sftp command you want logged ]
> [ quit]
>
> Now, you can take a look at sftp.log and find out what's going on.
> There will
> be several sftp.log.<PID> files created.  You'll be interested in the
> one
> that exec's the scponly process.
>
> I think that's about it.  Let us know what you find.
>
> Hope it helps.
>
> --Kaleb
>
> On Thursday 28 July 2005 8:18 am, Mike Kriz wrote:
> > I updated openssh and the patch, I am now running openssh version 4.1,
> > and the newest sftp-logging patch.  I have the same symptoms, however.
> >
> > I just tested chmod, and it seems permission is denied regardless of
>
> the
>
> > setting specified in sshd_config.  Which is OK, but not sure what it
> > proves...
> >
> > As for the socket, I did originally create a dev/log socket and add it
> > manually to syslog-ng.  However when it did not work without chrooting
> > either, I determined that wasn't the issue as you mentioned.
> >
> > I contacted the author of the sftp-logging patch, but unfortunately
>
> have
>
> > not heard from him.
> >
> > Since I do have it working with bash and other shells, I really
>
> believe
>
> > it to be some sort of scponly configuration issue.  However, there
>
> seems
>
> > to be no config options for scponly, other then the debuglevel?
> >
> > Any other advice?  Thanks!
> >
> >
> > -----Original Message-----
> > From: Ralf Durkee [mailto:rd at rd1.net]
> > Sent: Thursday, July 28, 2005 10:43 AM
> > To: Mike Kriz
> > Cc: scponly at lists.ccs.neu.edu
> > Subject: Re: [scponly] scponly and sftp-logging patch possible?
> >
> > You're going to need to create the appropriate syslog socket for the
> > chrooted environment such as dev/log, but sounds like you have another
> > problem since it's not logging in the non-chrooted environment.  Are
>
> the
>
> > other features of the patch such as no chmod no chown working? If they
> > are, then maybe there's something in the environment like a variable
> > being required for the logging. There was a recent fix to the patch
>
> for
>
> > environment variables. You may want to contact the author.
> >
> > [ from http://sftplogging.sourceforge.net/ ]
> > June 23, 2005: openssh-4.0p1.sftplogging-v1.4.patch released which
> > handles null values in environment variables. use this version if
>
> you're
>
> > compiling on solaris. You may also use it on any other system, if you
> > wish, although not necessary.
> >
> >
> > -- Ralf Durkee, CISSP, GSEC, GCIH
> > Principal Consultant
> > 585-624-9551
> > http://rd1.net
> >
> > Mike Kriz wrote:
> > > I am trying to find a way to provide an SFTP server, but I also need
> >
> > to
> >
> > > have verbose logging of all file transfers.  I have installed the
> > > sftp-logging patch, and it works great, but only if the user's shell
> >
> > is
> >
> > > set to bash (or other system shells).  I would like to have these
> >
> > users
> >
> > > ideally chrooted with scponly as the shell, but still have the
>
> verbose
>
> > > logs of all file transfers.
> > >
> > >
> > >
> > > I am able to get a working chroot environment with scponlyc, however
> >
> > the
> >
> > > only log entries I get are logins and logouts.  I thought it might
>
> be
>
> > an
> >
> > > issue with having a chroot, but I also get no logging with the non
> > > chrooted version of scponly.  Anyone have any ideas?
> > >
> > > I am running Gentoo Linux on x86.  My sshd_config sftp-logging
> >
> > section:
> > > LogSftp yes
> > >
> > > SftpLogfacility AUTH
> > >
> > > SftpLogLevel VERBOSE
> > >
> > > SftpUmask 022
> > >
> > > SftpPermitChmod no
> > >
> > > SftpPermitChown no
> > >
> > >
> > >
> > > *Mike Kriz*
> > > Systems Engineer
> > > Infocision Management - Enterprise Systems
> >
> > _______________________________________________
> > scponly mailing list
> > scponly at lists.ccs.neu.edu
> > https://lists.ccs.neu.edu/bin/listinfo/scponly
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20050729/65012541/attachment.bin

More information about the scponly mailing list