Chrooted SFTP & logging problems

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I realise there's been a few posts on this before - but nothing seems
to be working for me!   I need to log file transfers etc. from sftp
within the chrooted environment but no dice so far.
My environment is Solaris 10 (x86) with SSH 5.1p1 & syslog-ng 1.6.11.

--- segment from sshd_config---
Subsystem       sftp    internal-sftp -f auth -l info

Match Group sftponly
        ChrootDirectory /export/home/%u
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

In syslog-ng I have the following source statement:

source syslog {
        sun-streams("/dev/log" door("/var/run/syslog_door"));
        udp(ip( port(514));

/export/home/myuser/dev exists and the log socket in there is created
by syslog-ng:

ls -l /export/home/myuser/dev/log
srw-rw-rw-   1 root     myuser            0 Aug 13 09:42 /export/home/

The chroot environment works fine and all is jailed correctly. But
logging stops beyond the initial login:

Aug 13 11:02:20 myserver sshd[9356]: [ID 800047] Accepted
keyboard-interactive/pam for myuser from ww.xx.yy.zz port 57300 ssh2

and that's it.  Any users not in group sftponly (i.e non-chroot) log
correctly like this:

Aug 13 11:03:34 myserver sshd[9387]: [ID 800047] Accepted
keyboard-interactive/pam for nonchrootuser from ww.xx.yy.zz port 57306
Aug 13 11:03:34 myserver sshd[9391]: [ID 800047] subsystem
request for sftp
Aug 13 11:03:34 myserver internal-sftp[9392]: [ID 800047]
session opened for local user nonchrootuser from [ww.xx.yy.zz]
Aug 13 11:03:36 myserver internal-sftp[9392]: [ID 800047]
opendir "/export/home/nonchrootuser/"
Aug 13 11:03:36 myserver internal-sftp[9392]: [ID 800047]
closedir "/export/home/nonchrootuser/"

I wonder whether the ForceCommand statement needs arguments to
internal-sftp - but this doesn't appear to work - user authenticates
then is kicked out.  I've tried placing the ForceCommand command in
double quotes, single quotes, escaped args etc.   Permissions on the
home dirs & below appear OK (owner root, group myuser).

I'm not sure if this is a syslog-ng thing or ssh? I've tried looking
at what files are open with syslog-ng &/or ssh and recreated those in
the jail (i.e mknod on the chrooted /dev/null, /dev/sysmsg & a variety
of others).

Re: Chrooted SFTP & logging problems

I've tried this also creating a second sun-streams source rather than
the unix-stream mentioned above - i.e:

sun-streams("/export/home/myuser/dev/log" door("/export/home/myuser/

I had to create /export/home/myuser/dev/log using mknod (using same
major/minor numbers as the real /dev/log). The door file was created
automatically. Still no joy.

Re: Chrooted SFTP & logging problems

Rob prated on Sha'ban 10, 1429:

Quoted text here. Click to load it

I think I'm running into the same problem. I notice you are using the
ForceCommand directive. For me, suppressing it restores logging, which
would indicate an ssh problem. Is it the same for you ?

Apparently, some people have also encountered this issue with syslogd:


Re: Chrooted SFTP & logging problems

François Garillot asserted on Day 2 of week 34 of 2008:

Quoted text here. Click to load it

See also the very recent patch proposal for passing arguments to


Re: Chrooted SFTP & logging problems

On Aug 19, 5:39=A0pm, (Fran=E7ois
Garillot) wrote:
Quoted text here. Click to load it

Hi - no I don't see the same problem.  I've just tried again
commenting out ForceCommand - it works exactly as with it uncommented.
Are you using Solaris? I'm wondering whether I'm encountering issues
with the syslog-ng config (I need to run syslog-ng instead of regular
syslogd due to some extra features it gives me) which is just
confusing the issue. I'll check out the links - thanks!

Re: Chrooted SFTP & logging problems

I tried one of the suggested patches to session.c which allows
arguments to the 'ForceCommand internal-sftp'.
This fixes the problem of getting kicked out of sftp after login then
the 'ForceCommand internal-sftp' has arguments specified.  I'm still
not getting the required logging though.

I then tried removing the ChrootDirectory from the Match directive to
see whether the 'ForceCommand internal-sftp' arguments were actually
working.  They are!   Remove the arguments and login as the Match
user, no logging, add the arguments and login as the Match user,
arguments are recognised! This is a step forward as this now tells me
it's my syslog-ng config that's at fault now.

I'll try and fix the syslog-ng config and do some more tests. I get
the impression that maybe your chroot syslogging is working OK, but
you need the patch. I used this one:

My cut and paste of the patch into a patch file meant the context diff
file was a bit corrupted so I added the changes by hand (hacky).

Re: Chrooted SFTP & logging problems

Got it - I needed to the patch to openssh 5.1p1 (which'll hopefully
rolled into future versions) to enable parameters to the 'ForceCommand
internal-sftp' in the link mentioned earlier:

And on Solaris 10 x86 using syslog-ng, all I needed was the existence
of the /dev/conslog device file in the chroot jail (writeable by the
chroot user as well).
Perms are quite tricky too.

Create the device file:
% ls -lL /dev/conslog
crw-rw-rw-   1 root     sys       21,  0 Jun  5 14:36 /dev/conslog
% mkdir /export/home/chrootuser/dev
% mknod /export/home/chrootuser/dev/conslog c 21 0

Set perms:
% chown root:chrootusergroup /export/home/chrootuser /export/home/
chrootuser/dev /export/home/chrootuser/dev/conslog
% chmod 710 /export/home/chrootuser /export/home/chrootuser/dev
% chmod 660 /export/home/chrootuser/dev/log

Now my main problem is the start directory. Because the top of the
jail needs to be mode 750 (I may be able to do away with this by not
using strict modes in ssh) I need to set a start directory for the
sftp user. This will hide the dev directory as well. Figuring how to
do this.

Re: Chrooted SFTP & logging problems

To set a start directory, just set the home directory of the
chrootuser in /etc/passwd to the value it would be when the user is in
the chroot jail:


% mkdir /export/home/chrootuser/home
% chown root:chrootuser /export/home/chrootuser/home
% chmod 770 /export/home/chrootuser/home  # so chrootuser can actually
write to it

Set the homedir in /etc/passwd:
chrootuser:x:60011:1003:Test SFTP User:/home:/bin/false

One more thing. The mode on the top level of the jail in my post
before is incorrect - this should be set to 750, not 710. This means
chrootuser can go up one level and see the dev & home folders but
can't write anything except to the home folder. There may be potential
for writing to /dev/conslog in the jail and inserting duff log entries
- but they'd need to know the file was called /dev/conslog (you can't
'ls' on this to figure it's there) and also be able to write.
Potentially you could upload a file with syslog instructions in it?)
This is a possible vulnerability but this must be common to most
chroot environments which require a log device of some description.

Site Timeline