0

I'm configuring an SFTP server and having some issues with logs ending up in different places, depending on a group membership. This is on RHEL 8 but the same issue exists on an old RHEL 6 machine. Most users are SFTP only and have no shell access, this is configured by membership in the ftpnoshell group. Some users have a shell and can ssh to the server as well.

Here's the operative part of /etc/ssh/sshd_config:

Subsystem       sftp    internal-sftp -f LOCAL4 -l VERBOSE -d %u

Match Group ftpnoshell
        ChrootDirectory /home
        X11Forwarding no
        AllowTCPForwarding no
        ForceCommand internal-sftp -f LOCAL4 -l VERBOSE -d %u

This is in /etc/rsyslog.conf:

local4.*                                                /var/log/sftp.log

I would expect logs for all users to end up in /var/log/sftp.log, however logs for members of ftpnoshell are instead written in /var/log/secure.

Any ideas?

anlag
  • 26
  • 2
  • For starters: the [man page for sftpd-server](https://www.unix.com/man-page/redhat/8/sftp-server/) states *"Command-line flags to sftp-server should be specified in the `Subsystem` declaration"* and you're duplicating your arguments in the `ForceCommand` directive. But I don't know if that is the cause of your problems. - Also note the footnote in the manpage *"On some systems, sftp-server must be able to access /dev/log for logging to work, and use of sftp-server in a chroot configuration therefore requires ...."* - See also the discussion here: https://access.redhat.com/discussions/672633 – diya Dec 09 '22 at 11:32
  • Thanks! I am actually in the comments to that article, with a response from almost four years ago. At the time, we were chrooting users into their own home directory and creating a socket for each user seemed clunky. We've since switched to chrooting everyone into /home, which means a single socket in /home/dev/log actually does the job. I will verify it's robust and if so write up a proper solution. – anlag Dec 09 '22 at 15:22

0 Answers0