Thanks Jochen, > > sshd[27049]: Accepted publickey for [REDACTED] from [REDACTED] port 54343 ssh2: RSA SHA256:[REDACTED] > > sshd[27049]: pam_unix(sshd:session): session opened for user [REDACTED] by (uid=0) > > sshd[27049]: session opened for local user [REDACTED] from [REDACTED] [postauth] > > sshd[27049]: sent status No such file [postauth] > > sshd[27049]: sent status No such file [postauth] > > sshd[27049]: open "[REDACTED]" flags WRITE,CREATE,TRUNCATE mode 0666 [postauth] > > sshd[27049]: close "[REDACTED]" bytes read 0 written 5870358 [postauth] > > sshd[27049]: session closed for local user [REDACTED] from [REDACTED] [postauth] > > sshd[27049]: pam_unix(sshd:session): session closed for user [REDACTED] Have all sftp log messages from today the prefix sshd[27049]? No other PIDs logged? I guess PID 27049 is the PID of the main sftpd(sshs) process? > > SyslogFacility AUTHPRIV > > UsePAM yes # That's why there's messages from PAM in the log above > > UsePrivilegeSeparation sandbox > > Subsystem sftp internal-sftp > > Match group mandanten > > PermitTTY no > > ForceCommand internal-sftp -l INFO -u 0077 > Sorry for this question, but just to be sure because you neither posted this here nor in your other post https://lists.mindrot.org/pipermail/openssh-unix-dev/2021-September/039673.html where you post the output of "egrep '^[^#]*( mand|sftp)' /etc/ssh/sshd_config" You have "ChrootDirectory" set in sshd_config, right? E.g. I have set ChrootDirectory %h > If a .../dev/log is created within the .../dev/ directory *on the NFS > share*, and never removed, that means that all the .../dev/log's there > are were created *ONCE* by whichever syslogd got restarted *first* after > the user was created, correct? But still only the syslogd restarted > *last*, no matter whether on the same server or the other, gets that > user's log messages? That's correct _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
