[scponly] sftp-server logging
Dave Miller
justdave at mozilla.com
Fri Oct 26 01:34:15 EDT 2007
I'm trying to get sftp-server to log what it's doing... according to
the man pages, the version of openssh I have on my system already
supports it natively, by sending the -l LOGLEVEL argument and/or -f
LOGFACILITY to sftp-server from the sshd_config file. However, when I
add any command-line arguments to sftp-server in sshd_config, scponly
rejects the connection.
I found the --enable-sftp-logging-compat compile-time flag, but that
seems oriented around the environment variables that are looked for by
the sftp logging patches at http://sftplogging.sourceforge.net/ and not
the built-in capability in openssh. I'd like to avoid having to patch
openssh, especially since the capability I'm looking for is already
included in it.
It appears that scponly is hard-coded to not allow any arguments at all
for sftp-server, looking at the source. There are legal arguments for
it, but only two (the two related to logging). It seems easy enough to
toggle the "allow arguments to this" flag in the source, but the
paranoid part of me is saying there should be something to ensure that
only those two legal arguments are ever used. On the other hand, maybe
sftp-server does enough checking on its own...
This is the easy patch:
--- scponly-4.6/scponly.c.bak 2006-01-30 15:09:40.000000000 -0800
+++ scponly-4.6/scponly.c 2007-10-25 17:00:24.000000000 -0700
@@ -29,7 +29,7 @@
cmd_t commands[] =
{
#ifdef ENABLE_SFTP
- { PROG_SFTP_SERVER, 0 },
+ { PROG_SFTP_SERVER, 1 },
#endif /*ENABLE_SFTP*/
#ifdef ENABLE_SCP2
{ PROG_LS, 1 },
I'm not familiar enough with the code to feel safe trying to figure out
how to validate the other two args and have it fit within the rest of
the architecture that's set up for checking that stuff.
Thanks!
--
Dave Miller http://www.justdave.net/
System Administrator, Mozilla Corporation http://www.mozilla.com/
Project Leader, Bugzilla Bug Tracking System http://www.bugzilla.org/
More information about the scponly
mailing list