# openssh and sftp logging



## phospher (May 27, 2009)

Hi,

I'm using openssh 5.1 on FreeBSD 7.2. I'm using the chroot feature in openssh and allowing my users to connect using sftp clients. I want to know if there is anyway to log sftp logins to wtmp. I would like to be able to use the command `last` so that I can see login dates etc..

Also, is there anyway to log the file transactions similiar to what you would have in vsftpd in the vsftpd.log?

Thanks in advance.


----------



## DutchDaemon (May 27, 2009)

sftp-server(8)?


----------



## DutchDaemon (May 27, 2009)

man-server appears to be down (from here anyway):


```
SFTP-SERVER(8)          FreeBSD System Manager's Manual         SFTP-SERVER(8)

NAME
     sftp-server -- SFTP server subsystem

SYNOPSIS
     sftp-server [-f log_facility] [-l log_level]

DESCRIPTION
     sftp-server is a program that speaks the server side of SFTP protocol to
     stdout and expects client requests from stdin.  sftp-server is not
     intended to be called directly, but from sshd(8) using the Subsystem
     option.

     Command-line flags to sftp-server should be specified in the Subsystem
     declaration.  See sshd_config(5) for more information.

     Valid options are:

     -f log_facility
             Specifies the facility code that is used when logging messages
             from sftp-server.  The possible values are: DAEMON, USER, AUTH,
             LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
             The default is AUTH.

     -l log_level
             Specifies which messages will be logged by sftp-server.  The pos-
             sible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,
             DEBUG1, DEBUG2, and DEBUG3.  [B]INFO and VERBOSE log transactions
             that sftp-server performs on behalf of the client.[/B]  DEBUG and
             DEBUG1 are equivalent.  DEBUG2 and DEBUG3 each specify higher
             levels of debugging output.  The default is ERROR.

     For logging to work, sftp-server must be able to access /dev/log.  Use of
     sftp-server in a chroot configuation therefore requires that syslogd(8)
     establish a logging socket inside the chroot directory.

SEE ALSO
     sftp(1), ssh(1), sshd_config(5), sshd(8)

     T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
     filexfer-00.txt, January 2001, work in progress material.

HISTORY
     sftp-server first appeared in OpenBSD 2.8.

AUTHORS
     Markus Friedl <markus@openbsd.org>

FreeBSD 7.2                      July 18 2008                      FreeBSD 7.2
```


----------



## phospher (May 27, 2009)

I'm using "internal-sftp"


----------



## vivek (May 27, 2009)

> Also, is there anyway to log the file transactions similiar to what you would have in vsftpd in the vsftpd.log?


Noop. 


If you need vsftpd kind of log file with ftp security turn on SSL/TLS support in VSFTPD. VSFTPD also chroot users to their directory. It also supports virtual users (which is not supported by sftp-server and openssh).


----------



## phospher (May 27, 2009)

yeah, i use to use vsftpd but i switched to sftp with openssh because it only runs over one port and easier managed when your ISP blocks ports.


----------



## vivek (May 27, 2009)

Yes, classic ISP stuff.. you can't have your cake and eat it too!


----------



## phospher (May 27, 2009)

you got it. so i'm messing with the log facility and log level but I don't see how I can get the user logins to appear in wtmp using the last command. any suggestions?


----------



## DutchDaemon (May 27, 2009)

Switch to sftp-server .... It has the stuff you want built-in, and it's just as much part of openssh. Ok, so maybe not that particular wtmp stuff, but you can pipe the syslog output to a script and harvest whatever data you need.


----------



## phospher (May 27, 2009)

the important thing here is that I need to chroot my users who connect via sftp. according to the openssh article found here: http://undeadly.org/cgi?action=article&sid=20080220110039

i must use "Subsystem  sftp internal-sftp" within my sshd_config file for the chroot to work.  perhaps i'm missing something or there is a better way to do this?

this all is working perfectly but as i've stated my only concern is the logging or lack thereof.


----------



## DutchDaemon (May 27, 2009)

As the man page says, chrooting is totally feasible:


```
Use of
     sftp-server in a chroot configuation therefore requires that syslogd(8)
     establish a logging socket inside the chroot directory.
```

I think that's covered by a simple [cmd=]syslogd -s -l /some/chroot/dev/log[/cmd]


----------



## MarS (Feb 3, 2010)

I'd also like to have SFTP including logging. When I use

```
Subsystem      sftp    internal-sftp
```
everything works fine (except logging).

I added the following to rc.conf:

```
syslogd_flags="-s -l /home/chrootdir/dev/log"
```

Now when I replace the sftp subsystem in /etc/ssh/sshd_config with

```
Subsystem       sftp    /usr/libexec/sftp-server -l DEBUG3
```
 I can't use SFTP anymore because the SFTP client can't login.

/var/log/auth.log:

```
subsystem request for sftp
error: subsystem: cannot stat /usr/libexec/sftp-server: No such file or directory
subsystem request for sftp failed, subsystem not found
```

All I added to /etc/ssh/sshd_config is:

```
Match User user 
        ChrootDirectory /home/chrootdir
```

But /usr/libexec/sftp-server is there:

```
-r-xr-xr-x  1 root  wheel  33672 Dec  4 15:47 /usr/libexec/sftp-server
```

I am sure there is something I am missing... Is there somebody with a working chrooted SFTP setup using sftp-server?


----------



## SirDice (Feb 3, 2010)

MarS said:
			
		

> But /usr/libexec/sftp-server is there:
> -r-xr-xr-x  1 root  wheel  33672 Dec  4 15:47 /usr/libexec/sftp-server


Yes, but it doesn't exist in the chroot'ed environment.


----------



## MarS (Feb 3, 2010)

SirDice said:
			
		

> Yes, but it doesn't exist in the chroot'ed environment.



Tried that and copied /usr/libexec/sftp-server to /home/chrootdir/usr/libexec/sftp-server (also dependencies as listed by ldd). When I now try to login with my SFTP client, in /var/log/auth.log I get:

```
Accepted keyboard-interactive/pam for user from 192.168.1.106 port 51622 ssh2
subsystem request for sftp
```

That's it. I'm already at DEBUG3 level, so I can't make sftp-server more verbose.


----------



## MarS (Feb 12, 2010)

Answering myself here ...

Just quickly tried the newest version of ftp/proftpd-devel including SFTP support and it works beautifully including logging.


----------



## mix_room (Oct 6, 2011)

Just for completeness sake, as I solved this same problem today: 

In /etc/ssh/sshd_config

```
Subsystem       sftp    internal-sftp -f AUTH -l VERBOSE

Match group SFTP-USER 
        ChrootDirectory /ChrootDir/
        ForceCommand    internal-sftp -f AUTH -l VERBOSE
```

and then restarted rc.d/sshd
In syslog.conf I have 

```
auth.info;authpriv.info                         /var/log/auth.log
```

I have all transfers logged to /var/log/auth.log now.

What might have been your problem is the path to the Chroot directory. For some reason sshd seems to believe that the chrooting should be at the user's home directory. That is if you have /ChrootDir/ as the ChrootDirectory, sshd will try to Chroot into $USERHOME/ChrootDir/ which might not be around.


----------



## olav (Oct 6, 2011)

Another alternative is using the MySecureShell which comes with sftp logging.


----------



## Sigfrido (Nov 8, 2011)

mix_room said:
			
		

> Just for completeness sake, as I solved this same problem today:
> 
> In /etc/ssh/sshd_config
> 
> ...



Same configuration but it doesn't work; what is the homedir of the user you used to connect to sftp-server?

My conf:


```
sftp:*:1003:1001::0:0:SFTP Users:/xxx/yyy:/sbin/nologin
```

in /etc/sshd_config:


```
Subsystem       sftp    internal-sftp -f AUTH -l VERBOSE

Match group sftp
        ChrootDirectory /xxx/yyy
        ForceCommand    internal-sftp -f AUTH -l VERBOSE
```

where ChrootDirectory is the same home directory of the sftp user.

Permissions:


```
drwxr-xr-x  22 root      wheel     512 Nov  7 14:06 [b]yyy[/b]
```

sftp can log in directly in /xxx/yyy/, but syslogd doesn't log his activity.


----------



## mix_room (Nov 8, 2011)

Sigfrido said:
			
		

> same configuration but it doesn't work; what is the homedir of the user you used to connect to sftp-server?



They have different ones. I have one which has / as the home-directory, one which has /home/$USER and one which has $CHROOTPLACEHOLDER/$USER. They all show up in the logging. 

Did you remember to restart syslogd?


----------



## Sigfrido (Nov 8, 2011)

Yep, without results: as usual syslog logs in /var/log/auth.log only logins but not activity via sftp.

Any clue?

Did you edit /etc/rc.conf with:
	
	



```
syslogd_flags="-s -l /ChrootDirectory/dev/log"
```

I didn't understand if you followed what syslogd(8) says:


```
For logging to work, sftp-server must be able to access /dev/log.	Use of
     sftp-server in a chroot configuration therefore requires that syslogd(8)
     establish a logging socket inside the chroot directory.
```


----------



## Sigfrido (Nov 9, 2011)

Update.

I've created the directory and a log file:


```
# mkdir /ChrootDirectory/dev/
# chmod 755 /ChrootDirectory/dev/
# touch /ChrootDirectory/dev/log
```

Maybe it works linking /dev/log, like:

```
ln /dev/log /ChrootDirectory/dev/log
```

but I didn't try it.

Next, I've updated /etc/rc.conf with:


```
syslogd_flags="-s -l /ChrootDirectory/dev/log"
```

Restarted services, and it worked; now I can see the activity entries in /var/log/auth.log, like:


```
myserver internal-sftp[1249]: open "/mydomain/file1.html" flags READ mode 0666
myserver internal-sftp[1249]: close "/mydomain/file1.html" bytes read 3443 written 0
```

Is there a way to hide or make inaccessible /ChrootDirectory/dev/log to the Chrooted user w/o compromising logging activity?

@DutchDaemon: thanks for fixing post format


----------

