[scponly] scponly and sftp-logging patch possible?

Mike Kriz Mike.Kriz at INFOCISION.COM
Fri Jul 29 10:13:28 EDT 2005 

OK, here are my findings.  I ran the strace on both an account using
scponly (non chrooted), and also an account using bash (where the
logging is working correctly).

Looking at the traces, the only thing interesting is a failed file open
to /dev/log, but then it is followed by a successful open, so I think
it's just trying to open it two different ways.  This is common in both
sets of logs.

I'm starting to think this may have something to do with environment
variables after all.  I looked at the code for the sftp-logging patch,
and it seems to default to logging being off if it can not read the
variables from the environment.  Is it possible the scponly shell is
somehow not handling these variables?  Is there a way to check?

My thoughts are not that it doesn't even know it is supposed to log
because it is not reading and passing the options properly.\

Anyone have any thoughts on this?  I have attached the strace log files
for both sessions if anyone would like to examine them.  

 
Mike Kriz
Systems Engineer
Infocision Management - Enterprise Systems

-----Original Message-----
From: Kaleb Pederson [mailto:kpederson at mail.ewu.edu] 
Sent: Thursday, July 28, 2005 6:46 PM
To: scponly at lists.ccs.neu.edu
Cc: Mike Kriz
Subject: Re: [scponly] scponly and sftp-logging patch possible?

There are all sorts of things that could be affecting it.  I took a look

briefly at the sftp logging patch, and it doesn't look like there is
anything 
there that wouldn't work with scponly if the chroot is setup correctly.

I would suggest you run strace on the server against the ssh process
that is 
connecting.  You can then tell exactly which system calls are failing
(with 
respect to logging) and should be able to figure out what's going on.

I usually use something like this [ in this sequence ]:

# from the client
$ sftp username at hostname
[prompts for password ... I don't enter it yet]

# from the server
$ ps -Af | grep -i username
root     10206 16786  0 15:41 ?        00:00:00 sshd: username [priv]
sshd     10207 10206  0 15:41 ?        00:00:00 sshd: username [net]
root     10215 18650  0 15:42 pts/2    00:00:00 grep -i username

# still on server, now knowing PIDs
$ strace -o sftp.log -f -ff -p 10206
# make sure you substitute the right PID above

# from the client
[ finish entering password ]
[ execute sftp command you want logged ]
[ quit]

Now, you can take a look at sftp.log and find out what's going on.
There will 
be several sftp.log.<PID> files created.  You'll be interested in the
one 
that exec's the scponly process.

I think that's about it.  Let us know what you find.

Hope it helps.

--Kaleb


On Thursday 28 July 2005 8:18 am, Mike Kriz wrote:
> I updated openssh and the patch, I am now running openssh version 4.1,
> and the newest sftp-logging patch.  I have the same symptoms, however.
>
> I just tested chmod, and it seems permission is denied regardless of
the
> setting specified in sshd_config.  Which is OK, but not sure what it
> proves...
>
> As for the socket, I did originally create a dev/log socket and add it
> manually to syslog-ng.  However when it did not work without chrooting
> either, I determined that wasn't the issue as you mentioned.
>
> I contacted the author of the sftp-logging patch, but unfortunately
have
> not heard from him.
>
> Since I do have it working with bash and other shells, I really
believe
> it to be some sort of scponly configuration issue.  However, there
seems
> to be no config options for scponly, other then the debuglevel?
>
> Any other advice?  Thanks!
>
>
> -----Original Message-----
> From: Ralf Durkee [mailto:rd at rd1.net]
> Sent: Thursday, July 28, 2005 10:43 AM
> To: Mike Kriz
> Cc: scponly at lists.ccs.neu.edu
> Subject: Re: [scponly] scponly and sftp-logging patch possible?
>
> You're going to need to create the appropriate syslog socket for the
> chrooted environment such as dev/log, but sounds like you have another
> problem since it's not logging in the non-chrooted environment.  Are
the
>
> other features of the patch such as no chmod no chown working? If they
> are, then maybe there's something in the environment like a variable
> being required for the logging. There was a recent fix to the patch
for
> environment variables. You may want to contact the author.
>
> [ from http://sftplogging.sourceforge.net/ ]
> June 23, 2005: openssh-4.0p1.sftplogging-v1.4.patch released which
> handles null values in environment variables. use this version if
you're
>
> compiling on solaris. You may also use it on any other system, if you
> wish, although not necessary.
>
>
> -- Ralf Durkee, CISSP, GSEC, GCIH
> Principal Consultant
> 585-624-9551
> http://rd1.net
>
> Mike Kriz wrote:
> > I am trying to find a way to provide an SFTP server, but I also need
>
> to
>
> > have verbose logging of all file transfers.  I have installed the
> > sftp-logging patch, and it works great, but only if the user's shell
>
> is
>
> > set to bash (or other system shells).  I would like to have these
>
> users
>
> > ideally chrooted with scponly as the shell, but still have the
verbose
> >
> > logs of all file transfers.
> >
> >
> >
> > I am able to get a working chroot environment with scponlyc, however
>
> the
>
> > only log entries I get are logins and logouts.  I thought it might
be
>
> an
>
> > issue with having a chroot, but I also get no logging with the non
> > chrooted version of scponly.  Anyone have any ideas?
> >
> > I am running Gentoo Linux on x86.  My sshd_config sftp-logging
>
> section:
> > LogSftp yes
> >
> > SftpLogfacility AUTH
> >
> > SftpLogLevel VERBOSE
> >
> > SftpUmask 022
> >
> > SftpPermitChmod no
> >
> > SftpPermitChown no
> >
> >
> >
> > *Mike Kriz*
> > Systems Engineer
> > Infocision Management - Enterprise Systems
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sftp_strace.zip
Type: application/x-zip-compressed
Size: 20825 bytes
Desc: sftp_strace.zip
Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20050729/2281b641/sftp_strace-0001.bin

More information about the scponly mailing list