OpenSSH logging with Chroot Directory and SFTP Clients on CentOS

The following is adapted from http://www.debian-administration.org/articles/637 for CentOS as I have tested it on a CentOS VM (Xen x86_64 CentOS release 6.2 (Final)).

Make syslog available in the chroot

Create a dev directory in each user’s chrooted directory:

Configure rsyslog to probe the new logging source

Put the following contents in /etc/rsyslog.conf :

Configure openssh for logging

Change /etc/ssh/sshd_config. The Subsystem sftp line will now read (ps I use INFO instead of VERBOSE as I tested both and they seem to look the same in the log file) :

Create a Match section (assuming username1/username2 are members of the sftponly group in /etc/group).

“Because of a limitation bug in OpenSSH, the ForceCommand line cannot be used with logging parameters on versions earlier than 5.2. But omitting the ForceCommand directive implicitely provides the user shell access in the chrooted directory if he has upload privileges. Therefore, this is in my view a security risk, and that is why I would say that enabling logging in this configuration requires OpenSSH 5.2 or later.”

Note: Tried to redirect sftp logging per the above referred article but it did not seem to work in CentOS, everything is logged to /var/log/secure which, in my case, is just fine so I did not research it any further. On the Debian side one user commented that the dev/log’s were not automatically created but this is not the case in CentOS, just add the entry to the /etc/rsyslog.conf file as above and do a service rsyslog restart and it works!

Any comments are welcome.

3 thoughts on “OpenSSH logging with Chroot Directory and SFTP Clients on CentOS”

  1. Thanks for this – it works beautifully! The logging syntax is a little odd, but nothing that can’t be learned from a few minutes of testing. And as with your experience, mine logged to /var/log/secure which is really ideal.

  2. Hello,

    thank you for the post. It seems to be what I am looking for. However, i am not sure how the output should look like in /var/log/secure. Is it possible to provide a sample? I have the impression it is not working.
    Furthermore, what access rights do you need for /home/username1/dev?
    thanks

  3. Additional detail, my chrooted users are placed under /home/ftp/$users. Perhaps this is the reason why it is not working?

Leave a Reply

Your email address will not be published. Required fields are marked *