Jochen, are you sure that you see the real sftp user session detailed activity log, e.g. internal-sftp[27918]: session opened for local user <username> from [1.2.3.4] internal-sftp[27918]: open "/in/file.dat" flags WRITE,CREATE,TRUNCATE mode 0666 etc. and not just the sshd auth log, e.g. sftpd[4772]: Accepted publickey for <username> from 1.2.3.4 port 45504 ssh2 ? With Ubuntu 18.04.1 LTS and it's shipped OpenSSH 7.6p1-4ubuntu0.5 I can not get any sftp session logging when having only an empty /dev directory under the user's chroot directory, without it's "log" file. I wonder if it would be a bug or a feature if you can manage to get sftp session logging without /dev/log in the sftp user's chroot dir? What CentOS and OpenSSH version do you have exactly? What could be the difference of the CentOS OpenSSH? Do you have special starting options? Peter, > I think that works specifically because *no* new process is created > when using internal-sftp as opposed to executing the sftp-server binary. For every sftp subsystem login (here with user "sftp_nagios"), I see a new sftpd process created: First login: ps auxww |grep sftp root 4192 0.0 0.1 72304 6512 ? Ss 11:01 0:00 /usr/sbin/sftpd -D -f /etc/sftpd/sftpd_config root 4590 0.2 0.1 74736 6632 ? Ss 11:05 0:00 sftpd: sftp_nagios [priv] sftp_na+ 4592 0.0 0.0 74736 3432 ? S 11:05 0:00 sftpd: sftp_nagios@notty sftp_na+ 4593 0.0 0.0 74736 3108 ? Ss 11:05 0:00 sftpd: sftp_nagios@internal-sftp Then logout and login again, second login: ps auxww |grep sftp root 4192 0.0 0.1 72304 6512 ? Ss 11:01 0:00 /usr/sbin/sftpd -D -f /etc/sftpd/sftpd_config root 4630 0.5 0.1 74736 6596 ? Ss 11:05 0:00 sftpd: sftp_nagios [priv] sftp_na+ 4632 0.0 0.0 74736 3552 ? S 11:05 0:00 sftpd: sftp_nagios@notty sftp_na+ 4633 0.0 0.0 74736 3164 ? Ss 11:05 0:00 sftpd: sftp_nagios@internal-sftp > Gesendet: Sonntag, 26. September 2021 um 22:20 Uhr > Von: "Peter Stuge" <peter@xxxxxxxx> > An: openssh-unix-dev@xxxxxxxxxxx > Betreff: Re: Howto log multiple sftpd instances with their chroot shared via NFS > > Jochen Bern wrote: > > OK. This is a behavior I see (and use) on a CentOS SFTP server, but I > > have no idea how portable it is to other distribs, so just give it a try: > > > > > # egrep '^[^#]*( mand|sftp)' /etc/ssh/sshd_config > > > Subsystem sftp internal-sftp > > > Match group mandanten > > > ForceCommand internal-sftp -l INFO -u 0077 > > > > > > > # ls -al ~lvinq4/dev > > > insgesamt 0 > > > drwx--x---. 2 root mandanten 6 20. Mai 17:25 . > > > drwxr-x---. 5 root mandanten 54 24. Aug 15:38 .. > > > > As you can see, the chroots have an *empty* /dev subdir, but logging > > *still works*, apparently because the chrooted process just keeps using > > the system-central /dev/log it opened *before* chroot()ing. > > I think that works specifically because *no* new process is created > when using internal-sftp as opposed to executing the sftp-server binary. > > If syslog-ng can be made to reliably route internal-sftp messages to > user-specific log files then this approach would work well in Hildegard's > setup and would be a lot more pleasant than messing with LD_PRELOAD. > > > //Peter > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
