ubuntu sshd[3510]: subsystem request for sftp by user boris
ubuntu sshd[3510]: pam_unix(sshd:session): session closed for user boris
So as you can see there is no log about what user connected by using sftp is doing. At some point in time someone will tell you that this is a security/where are these files/who delete files issue. So how to do this? It is quite simple if you understand how logs are created, chroot and off course if you are reading this!
Check ssh version first!
First and most important thing to know. On older version of openssh there is very good chance that this will not work. Why, sftp-server dont have these options for older versions.I tested this on
root@ubuntu:/var/log# cat /etc/issue
Ubuntu 12.04.4 LTS \n \l
root@ubuntu:/var/log# uname -a
Linux ubuntu 3.5.0-23-generic #35~precise1-Ubuntu SMP Fri Jan 25 17:15:33 UTC 2013 i686 i686 i386 GNU/Linux
root@ubuntu:/var/log# dpkg -l openssh*
ii openssh-client 1:5.9p1-5ubunt secure shell (SSH) client, for secure access
ii openssh-server 1:5.9p1-5ubunt secure shell (SSH) server, for secure access
But on CentOs 5.8 this do not work
# cat /etc/issue
CentOS release 5.8 (Final)
# rpm -qa |grep ssh
openssh-4.3p2-82.el5
openssh-server-4.3p2-82.el5
Few thing to know about logs and chroot
As you know sftp users(in my case user boris) are all chrooted to directory configured in /etc/ssh/sshd_config with ChrootDirectory directive. In case that you do not know what this means, it means that once user is connected he cannot live this location. This user can't do anything outside this this folder. Read/write operations are only limited to his sftp folder. If you are wondering why I wrote 3 sentences about that use cannot leave chroot dir folder, wait just a bit more. Rsyslog or syslog capture events things by using socket /dev/log. This is important because sftp of features of ssh and ssh use rsyslog for logs storing then in /var/log. Permissions on /dev/log is# ls -la /dev/log
srw-rw-rw- 1 root root 0 Oct 31 12:54 /dev/log
So anybody that can approach to /dev/log can make logs by using rsyslog. But can sftp user approach to /dev/log? NO! Why? Because he is captured inside of his chrooted directory!!! So, idea is to still have chrooted user but that he can write in /dev/log.
Configuration in sshd_config
To enable logs for sftp-server we must fist enable it in sshd_config. Change lineForceCommand internal-sftp
to
ForceCommand internal-sftp -l INFO -f AUTH
Option -l(small letter L) is for log level and option -f is for location of log. Do not for -f add location of file, this is done in rsyslog.conf.
After you make neccesery changes, restart ssh service.
#/etc/init.d/sshd restart
Accessing /dev/log from chrooted folder
How to do this? My sftp folder is defined in sshd_config in ChrootDirectory /opt/sftp_test/%u directive and my sftp user is boris. Follow these steps!#cd /opt/sftp_test/boris
#mkdir dev
#touch dev/log
#chmod 511 dev
#chattr +i dev
# mount --bind /dev/log dev/log
And this is it!!!
How to test if this is working?
Go to your AUTH log. Depending of Linux distro this can be in /var/log/secure or /var/log/auth.log.
In this test server I am using Ubuntu 12.04.
#tail -f /var/log/auth.log
Oct 31 15:28:30 ubuntu internal-sftp[2460]: session opened for local user boris from [x.x.x.x]
Oct 31 15:28:31 ubuntu internal-sftp[2460]: opendir "/"
Oct 31 15:28:31 ubuntu internal-sftp[2460]: closedir "/"
Oct 31 15:28:47 ubuntu internal-sftp[2460]: opendir "/boris"
Oct 31 15:28:47 ubuntu internal-sftp[2460]: closedir "/boris"
Oct 31 15:28:53 ubuntu internal-sftp[2460]: mkdir name "/boris/12/123" mode 0777
Oct 31 15:28:58 ubuntu internal-sftp[2460]: opendir "/boris/12/123"
Oct 31 15:28:58 ubuntu internal-sftp[2460]: closedir "/boris/12/123"
Oct 31 15:29:05 ubuntu internal-sftp[2460]: open "/boris/12/123/analy.jpg" flags WRITE,CREATE,TRUNCATE mode 0700
Oct 31 15:29:05 ubuntu internal-sftp[2460]: close "/boris/12/123/analy.jpg" bytes read 0 written 28925
Oct 31 15:29:19 ubuntu internal-sftp[2460]: session closed for local user boris from [x.x.x.x]
Oct 31 15:29:19 ubuntu sshd[2459]: Received disconnect from x.x.x.x: 11: disconnected by user
Oct 31 15:29:19 ubuntu sshd[2287]: pam_unix(sshd:session): session closed for user boris
As you can see this is much better log!
If you have more then one user that is using sftp, you have to do this for every one of them!
In case that you want this to work after reboot. read this post fstab mount bind!