[scponly] sftp-server logging
Kaleb Pederson
kaleb.pederson at gmail.com
Fri Oct 26 20:37:09 EDT 2007
On Thursday 25 October 2007, Dave Miller wrote:
> I'm trying to get sftp-server to log what it's doing... according to
> the man pages, the version of openssh I have on my system already
> supports it natively, by sending the -l LOGLEVEL argument and/or -f
> LOGFACILITY to sftp-server from the sshd_config file. However, when I
> add any command-line arguments to sftp-server in sshd_config, scponly
> rejects the connection.
>
> I found the --enable-sftp-logging-compat compile-time flag, but that
> seems oriented around the environment variables that are looked for by
> the sftp logging patches at http://sftplogging.sourceforge.net/ and not
> the built-in capability in openssh. I'd like to avoid having to patch
> openssh, especially since the capability I'm looking for is already
> included in it.
I didn't know this was an option now. I'll add the two options that you
listed above as the only valid arguments and enable strict getopt processing
for the sftp-server.
Thanks for the details.
--Kaleb
> It appears that scponly is hard-coded to not allow any arguments at all
> for sftp-server, looking at the source. There are legal arguments for
> it, but only two (the two related to logging). It seems easy enough to
> toggle the "allow arguments to this" flag in the source, but the
> paranoid part of me is saying there should be something to ensure that
> only those two legal arguments are ever used. On the other hand, maybe
> sftp-server does enough checking on its own...
>
> This is the easy patch:
>
> --- scponly-4.6/scponly.c.bak 2006-01-30 15:09:40.000000000 -0800
> +++ scponly-4.6/scponly.c 2007-10-25 17:00:24.000000000 -0700
> @@ -29,7 +29,7 @@
> cmd_t commands[] =
> {
> #ifdef ENABLE_SFTP
> - { PROG_SFTP_SERVER, 0 },
> + { PROG_SFTP_SERVER, 1 },
> #endif /*ENABLE_SFTP*/
> #ifdef ENABLE_SCP2
> { PROG_LS, 1 },
>
> I'm not familiar enough with the code to feel safe trying to figure out
> how to validate the other two args and have it fit within the rest of
> the architecture that's set up for checking that stuff.
>
> Thanks!
More information about the scponly
mailing list