Not to log file xfers

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
        I was surprised to discover that, with 'sftp', logging only came as a
patch. This is a marked contrast to 'sftp2'; with its "SftpSyslogFacility"
configuration option.

 Was the absence of transfer logs conceived as a privacy mechanism, or
was it simply an oversight ?

 Thoughts, anyone..
                       DaveN  -- University of Liverpool Computer Science

Re: Not to log file xfers

Quoted text here. Click to load it

Bear in mind that SFTP is only one of many ways to achieve file
transfer over SSH. If my server's SFTP client did logging and I
happened to want to perform an unlogged file transfer, I could just
do things like this:

  ssh remotehost 'cat > uploaded' < file-to-upload
  ssh remotehost 'cat file-to-download' > downloaded
  tar czvf - directory-to-upload | ssh remotehost 'tar xzf -'
  ssh remotehost 'tar czf - directory-to-download' | tar xzvf -

and since I never invoked the SFTP binary, it would never do its

I would _guess_ (although this is just a guess) that someone decided
there was no point in making an SFTP server log in most situations,
since there was no way to ensure the log was complete or reliable.

It's probably something I'd have reasoned in the same situation:
free software authors are generally reluctant to spend time and
effort on creating restrictions and `security' measures which are
very easy to bypass. The feeling is that you should either make them
difficult or (preferably) impossible to bypass, or not bother with
them at all.

Of course, if you have a specialist setup - such as an account which
can _only_ be used for SFTP, so that mechanisms like the above are
not possible - then a logging SFTP server might become worth having.
Which might easily be why it's available as a patch.
Simon Tatham         "Selfless? I'm so selfless I

Site Timeline