3

I have been trying to log SFTP activity by Chrooted user.
I have not been able to log a single line so far for any chrooted user. For regular users it works.

My current settings:

/etc/ssh/sshd_config:

Subsystem sftp internal-sftp -f AUTH -l VERBOSE

ClientAliveInterval 180
PasswordAuthentication no

Match Group sftpclients
ChrootDirectory /home/sftp/%u
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp -f AUTH -l VERBOSE

/etc/rsyslog.conf: 

$AddUnixListenSocket        /home/sftp.log.socket
$AddUnixListenSocket        /home/sftp/dev/log.socket
$AddUnixListenSocket        /home/sftp/user1/dev/log.socket
$AddUnixListenSocket        /home/sftp/user2/dev/log.socket

:programname, isequal, "internal-sftp" -/var/log/sftp2.log
:programname, isequal, "internal-sftp" ~

/etc/rsyslog.d/sftp.conf: 

 input(type="imuxsock" Socket="/home/sftp/log2.socket" CreatePath="on")
 if $programname == 'internal-sftp' then /var/log/sftp3.log

Each user has their //dev/ directory bound to /dev: mount --bind /dev /home/sftp/<user>/dev as well as the sockets defined in rsyslog.conf / sftp.conf

Question I have tried basically every suggestion I have found, what might I be missing in my setup to log chrooted users?

Jeppe
  • 133
  • 1
  • 7
  • It works on OpenBSD, so it must be relevant to your Linux settings, ie. rsyslog and how you create /dev/syslog in chroot. – jirib Oct 16 '17 at 07:36
  • I'm running Debian 8 (Jessie). I've basically done all options for logging from a chroot jail I know of. Socket definitions in `rsyslog.conf / sftp.conf`and directly binding `/dev/' to users dev folder. – Jeppe Oct 16 '17 at 07:43
  • You can try strace to trace your processes to see what they try to do. – jirib Oct 16 '17 at 18:40

2 Answers2

3

Your assumption that /dev/log is a file that can be shared via bind-mounting /dev is incorrect for most modern linux distributions using systemd. Therefore, mounting your systems /dev into your chroot has little value.

$ file /dev/log
/dev/log: symbolic link to /run/systemd/journal/dev-log

Since /run is not available like that in the chroot (and should not be), sftp-server trying to write to /dev/log will consider that a broken symlink.

Instead, use input(type="imuxsock" Socket="/opt/bindmount/dev/log") to create an additional socket (which you can then bind-mount such that all chroots see it at /dev/log).

You generally should not share full /dev access to chroot anyway, the whole point of chroot is limiting attack surface.

Bonus: You can write your /etc/rsyslog.d/10-sftp.conf config like this (filter by "host name", which you can arbitrarily choose)

input(type="imuxsock" Socket="/opt/bindmount/dev/log", HostName="sftp")
if $hostname == 'sftp' then /var/log/sftp.log
&stop

This means that if you deploy other chroots, limited to other commands (such as a git-shell), you can still have all messages from chroot in the same spot, even if other programs write to /dev/log.

anx
  • 8,963
  • 5
  • 24
  • 48
2

If you do not use rsyslogd and use only journald from systemd, you can do the following (source https://wiki.archlinux.org/index.php/SFTP_chroot#Logging)

(Please replace <OPENSSH_CHROOT_PATH> with the chroot path configured in openssh, ie: in your case : /home/sftp/%u)

# mkdir /<OPENSSH_CHROOT_PATH>/dev
# chmod 755 /<OPENSSH_CHROOT_PATH>/dev
# touch /<OPENSSH_CHROOT_PATH>/dev/log

And bind-mount journald socket with :

# mount --bind /run/systemd/journal/dev-log /<OPENSSH_CHROOT_PATH>/dev/log

And If you need it permanently, do not forget to add this bind-mount in your /etc/fstab with :

/etc/fstab:

(…)
/run/systemd/journal/dev-log /<OPENSSH_CHROOT_PATH>/dev/log none bind   0   0
(…)

You can now see internal-sftp logging with journalctl :

# journalctl -f
beneth
  • 21
  • 4