Discussion:
Cannot get sftp transfers to log in the systemd journal
(too old to reply)
John
2016-05-09 16:10:25 UTC
Permalink
I'd like to have sshd write entries into the systemd journal logging sftp transfers. From googling, it seems that one needs to edit /etc/ssh/sshd_config adding this line:

Subsystem sftp /usr/lib/ssh/sftp-server -f AUTH -l VERBOSE


I can transfer files via filezilla (sftp) but I don't get anything in `journalctl -u sshd` that shows these transfers, just a few lines showing I connected. What am I doing wrong? I am using version 7.2p2 on Arch Linux. Thanks in advance!
Jakub Jelen
2016-05-10 08:52:33 UTC
Permalink
Post by John
Subsystem sftp /usr/lib/ssh/sftp-server -f AUTH -l VERBOSE
I can transfer files via filezilla (sftp) but I don't get anything in `journalctl -u sshd` that shows these transfers, just a few lines showing I connected. What am I doing wrong? I am using version 7.2p2 on Arch Linux. Thanks in advance!
These logs are logged under different "user" than sshd. It should be
logged under "sftp-server" process name. It certainly works on
Fedora/RHEL, unless:

* you are in chroot -- this requires a bit different approach
* your user is blocked from opening or writing to /dev/log or however
is syslog configured to accept logs

Note, that using above settings logs under the user logging in and not
under root so you need appropriate access.

Regards,
--
Jakub Jelen
Associate Software Engineer
Security Technologies
Red Hat
Darren Tucker
2016-05-10 08:58:59 UTC
Permalink
Maybe try the internal-sftp subsystem instead of sftp? That runs inside
sshd which has provisions for syslogging from inside a chroot (instead of
as a separate executable).
Post by John
I'd like to have sshd write entries into the systemd journal logging sftp
transfers. From googling, it seems that one needs to edit
Subsystem sftp /usr/lib/ssh/sftp-server -f AUTH -l VERBOSE
I can transfer files via filezilla (sftp) but I don't get anything in
`journalctl -u sshd` that shows these transfers, just a few lines showing I
connected. What am I doing wrong? I am using version 7.2p2 on Arch
Linux. Thanks in advance!
_______________________________________________
openssh-unix-dev mailing list
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Jakub Jelen
2016-05-10 11:15:35 UTC
Permalink
Thank you for the reply. Indeed, I see entries for the entries in my journalctl output under 'sftp-server' if I transfer a file from a normal user on my system. I also setup a chroot-jail but as you mentioned, no logs are written for these. What is the different approach I need to use?
There are two possibilities. Either you set up logging socket in chroot
and set up syslog/journal to receive message from it, or there is some
possibility to log over the socket opened by the parent (before going
into chroot), which is a bit hacky solution (and not upstream for some
reason). We have got the patch in our git [1], but there will probably
be some bug in upstream bugzilla.

[1]
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-6.6.1p1-log-in-chroot.patch

Regards,
--
Jakub Jelen
Associate Software Engineer
Security Technologies
Red Hat
John
2016-05-10 10:57:13 UTC
Permalink
Post by John
Post by John
I'd like to have sshd write entries into the systemd journal logging
sftp transfers. From googling, it seems that one needs to edit
Post by John
Subsystem sftp /usr/lib/ssh/sftp-server -f AUTH -l VERBOSE
I can transfer files via filezilla (sftp) but I don't get anything in
`journalctl -u sshd` that shows these transfers, just a few lines showing I
connected. What am I doing wrong? I am using version 7.2p2 on Arch Linux.
Thanks in advance!
These logs are logged under different "user" than sshd. It should be
logged under "sftp-server" process name. It certainly works on
* you are in chroot -- this requires a bit different approach
* your user is blocked from opening or writing to /dev/log or however
is syslog configured to accept logs
Note, that using above settings logs under the user logging in and not
under root so you need appropriate access.
Thank you for the reply. Indeed, I see entries for the entries in my journalctl output under 'sftp-server' if I transfer a file from a normal user on my system. I also setup a chroot-jail but as you mentioned, no logs are written for these. What is the different approach I need to use?

To help, here is the relevant section of my sshd_config:

Match group sshusers
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
PasswordAuthentication yes
ForceCommand internal-sftp
John
2016-05-10 12:19:38 UTC
Permalink
Post by Jakub Jelen
There are two possibilities. Either you set up logging socket in chroot
and set up syslog/journal to receive message from it, or there is some
possibility to log over the socket opened by the parent (before going
into chroot), which is a bit hacky solution (and not upstream for some
reason). We have got the patch in our git [1], but there will probably
be some bug in upstream bugzilla.
[1]
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-6.6.1p1-log-in-chroot.patch
Regards,
Thanks for the reply, Jakub. The patch you pointed me to does not apply to the current release of openssh unfortunately (v7.2p2). Do you have a more contemporary version of the patch I can try?

I can google around for a logging socket... I assume this can be implemented without the patch you referenced and on the current version 7.2p2?
Jakub Jelen
2016-05-10 12:22:30 UTC
Permalink
Post by John
Post by Jakub Jelen
There are two possibilities. Either you set up logging socket in chroot
and set up syslog/journal to receive message from it, or there is some
possibility to log over the socket opened by the parent (before going
into chroot), which is a bit hacky solution (and not upstream for some
reason). We have got the patch in our git [1], but there will probably
be some bug in upstream bugzilla.
[1]
http://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-6.6.1p1-log-in-chroot.patch
Regards,
Thanks for the reply, Jakub. The patch you pointed me to does not apply to the current release of openssh unfortunately (v7.2p2). Do you have a more contemporary version of the patch I can try?
It applies, but there are also other conflicting patches in Fedora
probably. We use exactly this one for openssh-7.2
Post by John
I can google around for a logging socket... I assume this can be implemented without the patch you referenced and on the current version 7.2p2?
Yes. The logging socket in chroot solution should work without the above
patch.
--
Jakub Jelen
Associate Software Engineer
Security Technologies
Red Hat
Loading...