[scponly] logging control
Christopher Barry
christopher.barry at qlogic.com
Wed Apr 1 12:00:47 EDT 2009
> -----Original Message-----
> From: Christopher Barry
> Sent: Tuesday, March 31, 2009 1:56 PM
> To: scponly at lists.ccs.neu.edu
> Subject: logging control
>
> Hi all,
>
> I've been playing around trying to get logging working in a way that
> produces the level of detail I would like, namely I want to see logs of
> similar detail to ftp logs. e.g.:
> who connects when, from where, what they do while connected, files
> uploaded/downloaded. Plus all auth failures.
>
> Docs are scant on this aspect. I tried the syslogd socket method in
> chroot /dev/log, but this did not seem to have any effect. I've set
> what I think are correct env vars (values? well, that's another
> question ;)
>
> ~# cat /etc/environment
> PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
> # for scponly
> LOG_SFTP=1
> SFTP_UMASK=022
> SFTP_PERMIT_CHMOD=0
> SFTP_PERMIT_CHOWN=0
> SFTP_LOG_LEVEL=LOG_DEBUG
> SFTP_LOG_FACILITY=LOG_AUTHPRIV
> # end
>
> Anyone made this type of logging work? Can you share how?
> keeping sshd @ DEBUG3 is kinda filling up my disk...;)
>
> Thanks,
> -C
>
Hi people,
Anyone have a chance to chew on this? Are there some docs/posts I've missed that I should read first?
Thought I'd go ahead and mention that I am writing a management application around scponly that controls chrooted sites, utilizing a key-based authentication scheme only - no passwords. It's called sftp-manager.
The organization is around the 'partner', who is the username used to access the site, and the Linux user. But the real 'user' is simply an email address/keypair combination. Users are tracked and maintained by their email address and key fingerprint.
A single key can allow access to any number of sites. The primary use of this app is to maintain and control a support environment where the 'partner' is a partner company, and the users are employees of that company or local support engineers. This way there are no shared passwords, and an individual can be removed from a site easily without making everyone change their passwords to maintain security.
So far it's working incredibly well, but it's got a way to go yet. Getting meaningful audit data is what this post is trying to help facilitate.
Once I get the app to a reasonably stable state, I'll release it to the wild.
Cheers,
-C
More information about the scponly
mailing list