Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

sshd and chroot logging

from [Szymon Bakowski] Network Security [Permanent Link]
Subject: sshd and chroot logging
Date: Wed, 9 Jul 2008 16:44:53 +0100 
Hello Guys,
I have successfully compiled and make run openssh-5.0p1 on linux Red
Hat Enterprise Linux ES release 3 ( 2.4.21-50.ELsmp ).

Port 22
ListenAddress 0.0.0.0
Protocol 2
SyslogFacility DAEMON
LogLevel DEBUG
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 6
PasswordAuthentication yes

Subsystem sftp internal-sftp

Match user test
        ForceCommand internal-sftp
        ChrootDirectory /chrootsftp/test
        X11Forwarding no
        AllowTcpForwarding no

My goal is to have sshd chroot particular users and log their file
transfers. Information about who, when and from what IP is not enough
for my spec.

I was trying change sshd_config in so many ways (mainly Subsystem and
Match sections) but apparently you can not specify any -l or -f
arguments after internal-sftp. Apparently, "Subsystem sftp
internal-sftp" does not have to exist at all having just one user and
having it matched against "Match" directive.

Having
ForceCommand /usr/libexec/openssh/sftp-server -l VERBOSE
doesn't allow for sftp connections at all.

What would be the major difference between "internal-sftp" and
/usr/libexec/openssh/sftp-server? Does "internal-sftp" invoke a sftp
subsystem which is a part of sshd binary or it still passes
transaction back to sftp_server but just allows to chroot it?
Documentation of sshd_config directives reads:

"Alternately the name ``internal-sftp'' implements an in-process
'sftp' server.  This may simplify configurations using ChrootDirectory
to force a different file system root on clients."

Does it mean that you can have either normal sftp subsystem with
logging (sftp-server) or chrooted sftp but without logging
(internal-sftp)?

I was also trying to play with /chrootsftp/test/dev/log and hard
linking it to /dev/log (adding
additional socket during syslog start) but it seems natural that it
doesn't work as this is
non-interactive chrooted environment (just sftp).

I am really stumped at this point and wondering if that may be
archived at all? I really count on someone explain to me all these
questions as I went through possibly every possible subject on google
regarding that problem, not finding a definitive answer to it. I
suppose "the source" could sort my doubts out :D

Cheers Sim.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • sshd and chroot logging, Szymon Bakowski <=
Previous by Date:  Re: On why debugging OpenSSH can be so hard, Maurice Volaski
Next by Date:  Re: Reverse agent forwarding architecture, AMuse
Previous by Thread:  Lost tty and 100% cpu, Aldrey Galindo
Next by Thread:  Deliberately create slow SSH response?, Zembower, Kevin
Indexes:  [Date] [Thread] [Top] [All Lists]