Score:0

SFTP logs to different files

in flag

I'm configuring an SFTP server and having some issues with logs ending up in different places, depending on a group membership. This is on RHEL 8 but the same issue exists on an old RHEL 6 machine. Most users are SFTP only and have no shell access, this is configured by membership in the ftpnoshell group. Some users have a shell and can ssh to the server as well.

Here's the operative part of /etc/ssh/sshd_config:

Subsystem       sftp    internal-sftp -f LOCAL4 -l VERBOSE -d %u

Match Group ftpnoshell
        ChrootDirectory /home
        X11Forwarding no
        AllowTCPForwarding no
        ForceCommand internal-sftp -f LOCAL4 -l VERBOSE -d %u

This is in /etc/rsyslog.conf:

local4.*                                                /var/log/sftp.log

I would expect logs for all users to end up in /var/log/sftp.log, however logs for members of ftpnoshell are instead written in /var/log/secure.

Any ideas?

diya avatar
la flag
For starters: the [man page for sftpd-server](https://www.unix.com/man-page/redhat/8/sftp-server/) states *"Command-line flags to sftp-server should be specified in the `Subsystem` declaration"* and you're duplicating your arguments in the `ForceCommand` directive. But I don't know if that is the cause of your problems. - Also note the footnote in the manpage *"On some systems, sftp-server must be able to access /dev/log for logging to work, and use of sftp-server in a chroot configuration therefore requires ...."* - See also the discussion here: https://access.redhat.com/discussions/672633
anlag avatar
in flag
Thanks! I am actually in the comments to that article, with a response from almost four years ago. At the time, we were chrooting users into their own home directory and creating a socket for each user seemed clunky. We've since switched to chrooting everyone into /home, which means a single socket in /home/dev/log actually does the job. I will verify it's robust and if so write up a proper solution.
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.