Hello Guys,
I have successfully compiled and make run openssh-5.0p1 on linux Red
Hat Enterprise Linux ES release 3 ( 2.4.21-50.ELsmp ).
Port 22
ListenAddress 0.0.0.0
Protocol 2
SyslogFacility DAEMON
LogLevel DEBUG
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6
PasswordAuthentication yes
Subsystem sftp internal-sftp
Match user test
ForceCommand internal-sftp
ChrootDirectory /chrootsftp/test
X11Forwarding no
AllowTcpForwarding no
My goal is to have sshd chroot particular users and log their file
transfers. Information about who, when and from what IP is not enough
for my spec.
I was trying change sshd_config in so many ways (mainly Subsystem and
Match sections) but apparently you can not specify any -l or -f
arguments after internal-sftp. Apparently, "Subsystem sftp
internal-sftp" does not have to exist at all having just one user and
having it matched against "Match" directive.
Having
ForceCommand /usr/libexec/openssh/sftp-server -l VERBOSE
doesn't allow for sftp connections at all.
What would be the major difference between "internal-sftp" and
/usr/libexec/openssh/sftp-server? Does "internal-sftp" invoke a sftp
subsystem which is a part of sshd binary or it still passes
transaction back to sftp_server but just allows to chroot it?
Documentation of sshd_config directives reads:
"Alternately the name ``internal-sftp'' implements an in-process
'sftp' server. This may simplify configurations using ChrootDirectory
to force a different file system root on clients."
Does it mean that you can have either normal sftp subsystem with
logging (sftp-server) or chrooted sftp but without logging
(internal-sftp)?
I was also trying to play with /chrootsftp/test/dev/log and hard
linking it to /dev/log (adding
additional socket during syslog start) but it seems natural that it
doesn't work as this is
non-interactive chrooted environment (just sftp).
I am really stumped at this point and wondering if that may be
archived at all? I really count on someone explain to me all these
questions as I went through possibly every possible subject on google
regarding that problem, not finding a definitive answer to it. I
suppose "the source" could sort my doubts out :D
Cheers Sim.
