[scponly] Logging User Actions
Nilocsia at web.de
Nilocsia at web.de
Tue Nov 14 08:49:12 EST 2006
At last I figured out how to enable debugging, so here's the log...
Nov 14 14:34:18 localhost sshd[21524]: Accepted publickey for scponly from 192.168.75.1 port 3305 ssh2
Nov 14 14:34:18 localhost sshd[21527]: subsystem request for sftp
Nov 14 14:34:18 localhost scponly[21528]: chrooted binary in place, will chroot()
Nov 14 14:34:18 localhost scponly[21528]: 3 arguments in total.
Nov 14 14:34:18 localhost scponly[21528]: arg 0 is scponlyc
Nov 14 14:34:18 localhost scponly[21528]: arg 1 is -c
Nov 14 14:34:18 localhost scponly[21528]: arg 2 is /usr/local/libexec/sftp-server
Nov 14 14:34:18 localhost scponly[21528]: opened log at LOG_AUTHPRIV, opts 0x00000009
Nov 14 14:34:18 localhost scponly[21528]: retrieved home directory of "/sftphome/scponly" for user "scponly"
Nov 14 14:34:18 localhost scponly[21528]: chrooting to dir: "/sftphome/scponly"
Nov 14 14:34:18 localhost scponly[21528]: chdiring to dir: "/"
Nov 14 13:34:18 localhost scponly[21528]: setting uid to 501
Nov 14 13:34:18 localhost scponly[21528]: processing request: "/usr/local/libexec/sftp-server"
Nov 14 13:34:18 localhost scponly[21528]: Found "LOG_SFTP" and setting it to "1"
Nov 14 13:34:18 localhost scponly[21528]: Found "USER" and setting it to "scponly"
Nov 14 13:34:18 localhost scponly[21528]: Found "SFTP_UMASK" and setting it to ""
Nov 14 13:34:18 localhost scponly[21528]: Found "SFTP_PERMIT_CHMOD" and setting it to "1"
Nov 14 13:34:18 localhost scponly[21528]: Found "SFTP_PERMIT_CHOWN" and setting it to "1"
Nov 14 13:34:18 localhost scponly[21528]: Found "SFTP_LOG_LEVEL" and setting it to "4"
Nov 14 13:34:18 localhost scponly[21528]: Found "SFTP_LOG_FACILITY" and setting it to "3"
Nov 14 13:34:18 localhost scponly[21528]: Environment contains "LOG_SFTP=1"
Nov 14 13:34:18 localhost scponly[21528]: Environment contains "USER=scponly"
Nov 14 13:34:18 localhost scponly[21528]: Environment contains "SFTP_UMASK="
Nov 14 13:34:18 localhost scponly[21528]: Environment contains "SFTP_PERMIT_CHMOD=1"
Nov 14 13:34:18 localhost scponly[21528]: Environment contains "SFTP_PERMIT_CHOWN=1"
Nov 14 13:34:18 localhost scponly[21528]: Environment contains "SFTP_LOG_LEVEL=4"
Nov 14 13:34:18 localhost scponly[21528]: Environment contains "SFTP_LOG_FACILITY=3"
Nov 14 13:34:18 localhost scponly[21528]: running: /usr/local/libexec/sftp-server (username: scponly(501), IP/port: 192.168.75.1 3305 22)
Concerning Ralf's notes - Does anyone know
- how to create <chroot>/dev/log (mknod?)
- which libraries are needed in chrooted area
- where do the log-messages go? (/var/log or <chroot>/var/log)
Thank You.
Tobias
-----------------------------------------------------------------
Von: Ralf Durkee
Gesendet: 10.11.06 17:14:24
An: scponly at lists.ccs.neu.edu
Betreff: Re: [scponly] Logging User Actions
Keep in mind that the logging patch modifies the sftp-server executable,
so you need to make sure you have the patched version of sftp-server in
the chrooted area. Also you will need the appropriate logging device
such as /dev/log created in the chrooted area. There may be additional
dynamic libraries needed as well.
-- Ralf Durkee, CISSP, GSEC, GCIH, GSNA
Principal Security Consultant
http://rd1.net
Nilocsia at web.de wrote:
>
> The sftp loggin patch works fine but only with non-scponly-users:
>
> Nov 9 12:37:00 localhost sftp-server[14073]: Starting sftp-server
> logging for user tobias.
> ...
> Nov 9 12:37:53 localhost sftp-server[14073]: opendir /usr/local/etc
> Nov 9 12:37:56 localhost sftp-server[14073]: open
> /usr/local/etc/ssh_config
> Nov 9 12:37:56 localhost sftp-server[14073]: reading 1354 bytes from file
> Nov 9 12:37:56 localhost sftp-server[14073]: reading 0 bytes from file
>
> Loggin in with an chroot-account that uses "scponlyc" creates just a
> message like this:
>
> Nov 9 12:48:09 localhost scponly[16683]: running:
> /usr/local/libexec/sftp-server (username: scponly(501), IP/port:
> 192.168.75.1 1704 22)
>
> Is there a way to activate sftp -logging for scponlyc-users also?
>
> Thanks in advance.
>
> Tobias
>
> ------------------------------------------------------------------------
> *Von:* Kaleb Pederson
> *Gesendet:* 19.10.06 17:22:57
> *An:* scponly at lists.ccs.neu.edu
> *Betreff:* Re: [scponly] Logging User Actions
>
>
> If you turn on logging you will get some of that behavior if the user in
> question is using scp. Also, copy of multiple files will not really
> show up
> correctly because of the way files are transferred.
>
> If the user is using sftp, nothing useful will show up in the logs.
>
> If this is what you would like, the best thing to do would be to use
> the sftp
> logging patch available at http://sftplogging.sourceforge.net/
>
> I hope that helps.
>
> --Kaleb
>
>
> On Thursday 19 October 2006 5:00 am, Nilocsia at web.de wrote:
> > Is there an option in scponly (or maybe in OpenSSH) which allows
> logging of
> > u ser actions, like deleting or copying of files?
> >
> > Tobias.
> >
>
______________________________________________________________________________
"Ein Herz für Kinder" - Ihre Spende hilft! Aktion: www.deutschlandsegelt.de
Unser Dankeschön: Ihr Name auf dem Segel der 1. deutschen America's Cup-Yacht!
More information about the scponly
mailing list