Re: Blacklisting/whitelisting sftp-server commands

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 

On 03.09.21 01:05, Travis Hayes wrote:
> I am concerned about the
> following note in the man page: 'For file transfer sessions using ''sftp'',
> no additional configuration of the environment is necessary if the
> in-process sftp server is used, *though sessions which use logging do
> require **/dev/log inside the chroot directory'*
> 
> As I haven't created a /dev/log socket in the directory, I am concerned
> that there is logging information I will wish I had.

Note that providing a large number of chroots with /dev/log scales very
poorly, because you'll need to configure your syslogd(-variant) to
access and read every single one of them.

On our SFTP server - which happens to be CentOS 7 as well -, I provide
stub /etc/passwd and /etc/group (just so that directory listings will
not show bare UIDs/GIDs), an empty /dev , a /README text file for a
welcome(*), a writable subdir for the uploads, and told the sshd to
(among other things):

SyslogFacility AUTHPRIV
Subsystem sftp internal-sftp
Match group mandanten
        ForceCommand internal-sftp -l INFO -u 0077
        Banner /home/chroot/README
        AuthorizedKeysCommand [...] (**)
        AuthorizedKeysCommandUser [...]

- and nonetheless get to see all the open's and close's recorded in
/var/log/secure .

(*)  Individual /READMEs get refreshed in regular intervals, by
     appending the respective user's current disk quota status to the
     global /home/chroot/README . I make a point of having a Banner
     right from square one so that automated clients will not enter
     production unless they've been taught to deal with the extra
     noise.
(**) Using the AuthorizedKeysCommand system allows me to keep the
     management of pubkeys a) in our hands and b) out of the chroots.
     Both are our policy choices; YMMV.

Regards,
-- 
Jochen Bern
Systemingenieur

T  +49 6151 9067-231
F  +49 6151 9067-290
E  jochen.bern@xxxxxxxxx
W  www.binect.de


Binect GmbH
Robert-Koch-Str. 9
64331 Weiterstadt

Geschäftspost.Einfach.Digital.
Wir sind nach ISO/IEC 27001:2013 und 9001:2015 zertifiziert.
BMWi fördert digitale Lösungen für KMU.

Geschäftsführung: Dr. Frank Wermeyer, Michael Imiolczyk
Unternehmenssitz: Weiterstadt
Register: Amtsgericht Darmstadt, HRB 94685
Umsatzsteuer-ID: DE 221 302 264

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux