On 29.09.21 11:18, Hildegard Meier wrote:
Jochen, are you sure that you see the real sftp user session detailed activity log, e.g. internal-sftp[27918]: session opened for local user <username> from [1.2.3.4] internal-sftp[27918]: open "/in/file.dat" flags WRITE,CREATE,TRUNCATE mode 0666 etc. and not just the sshd auth log, e.g. sftpd[4772]: Accepted publickey for <username> from 1.2.3.4 port 45504 ssh2
Considering that I'm the one who gets to debug both customers' connectivity *and* concurrent-file-operations problems, I'm *quite* sure of that. :-)
sshd[27049]: Accepted publickey for [REDACTED] from [REDACTED] port 54343 ssh2: RSA SHA256:[REDACTED] sshd[27049]: pam_unix(sshd:session): session opened for user [REDACTED] by (uid=0) sshd[27049]: session opened for local user [REDACTED] from [REDACTED] [postauth] sshd[27049]: sent status No such file [postauth] sshd[27049]: sent status No such file [postauth] sshd[27049]: open "[REDACTED]" flags WRITE,CREATE,TRUNCATE mode 0666 [postauth] sshd[27049]: close "[REDACTED]" bytes read 0 written 5870358 [postauth] sshd[27049]: session closed for local user [REDACTED] from [REDACTED] [postauth] sshd[27049]: pam_unix(sshd:session): session closed for user [REDACTED]
- all from today's /var/log/messages .
I wonder if it would be a bug or a feature if you can manage to get sftp session logging without /dev/log in the sftp user's chroot dir?
I'm in the dark whether that behavior is *intended* (and if so, by whom exactly), hence my reluctance to openly recommend my setup to others ...
What CentOS and OpenSSH version do you have exactly?
Current CentOS 7 with its genuine OpenSSH package (openssh-7.4p1-21.el7.x86_64).
Do you have special starting options?
Various hardened settings, but the only ones I'd *expect* to affect *logging* in *any* way would be:
SyslogFacility AUTHPRIV
UsePAM yes # That's why there's messages from PAM in the log above
UsePrivilegeSeparation sandbox
Subsystem sftp internal-sftp
Match group mandanten
PermitTTY no
ForceCommand internal-sftp -l INFO -u 0077
If a newly-started syslogd on server A does indeed REMOVE AND RECREATE the /dev/log sockets,If /dev dir under sftp user's chroot dir exists but there is no "log" file in it, it gets created by syslog-ng. It is never removed afterwards.
If a .../dev/log is created within the .../dev/ directory *on the NFS share*, and never removed, that means that all the .../dev/log's there are were created *ONCE* by whichever syslogd got restarted *first* after the user was created, correct? But still only the syslogd restarted *last*, no matter whether on the same server or the other, gets that user's log messages? I'm getting a murder mystery vibe here ...
Regards, -- Jochen Bern Systemingenieur Binect GmbH
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
