Log which client command has been denied due to blacklist

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



When restricting the allowed sftp-server commands with the whitelist/blacklist options (-p / -P)

and the client requests a disallowed command, it is only logged "sent status Permission denied":

internal-sftp[1234]: sent status Permission denied

For transparency (if multiple commands are not allowed, to be able to distinguish), it would be better that the denied command would be logged, too, e.g.

internal-sftp[1234]: sent status Permission denied (mkdir)

I think it would be sufficient to only log the command without any parameters (like directory names), like above, to be clear that the command in general is forbidden, regardless of it's parameters.

Here is my -p whitelist, which does not contain rmdir/mkdir and works fine, aside of the non-saying log.

Subsystem sftp internal-sftp
ForceCommand internal-sftp -u 0002 -f LOCAL5 -l INFO -p open,close,read,write,lstat,fstat,setstat,fsetstat,opendir,readdir,remove,realpath,stat,rename,readlink,symlink,posix-rename,statvfs,fstatvfs,hardlink,fsync

I could not see in the release notes

https://www.openssh.com/releasenotes.html

that this logging would have changed since the version I am currently using, which is 7.6p1-4ubuntu0.5 on Ubuntu 18 Server.

Best regards
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux