( vs. r1.1) SftpLogging < Freebsd

<<O>> Difference Topic SftpLogging (r1.1 - 21 Jul 2003 - KirkStrauser)

Line: 1 to 1

Added:

>
>

By default, the SftpServer program bundled with OpenSSH^? does not support any sort of connection or transfer logging. While the authors apparently have a good reason for this, it interfered with some of my client's needs. Therefore, I wrote this patch to SftpServer to enable rudimentary logging.

Caveat: I am not an expert on OpenSSH^?'s implementation. While this code seems very straightforward, and I'm 99.9% certain that it will work as expected without giving crackers any additional openings to attack your system (other than potentially causing a flood of data to be dumped to syslogd), there may be pathways through SftpServer's control system that cause data to be logged in an inconsistent or incorrect manner. This patch is useful for me; you must audit it for your own needs before installing it on a production system.

Output

These are entries logged to syslogd on a FreeBSD server. As per Unix convention, successful requests are those that return a status code of 0.

Jul 21 14:38:35 kanga sftp-server(kirk)[5022]: Connected
Jul 21 14:38:41 kanga sftp-server(kirk)[5022]: Opened "/tmp/foo" flags 1 mode 0666
Jul 21 14:38:41 kanga sftp-server(kirk)[5022]: Began to read
Jul 21 14:38:41 kanga sftp-server(kirk)[5022]: Finished status 0
Jul 21 14:40:39 kanga sftp-server(kirk)[5022]: Read contents of /tmp
Jul 21 14:40:39 kanga sftp-server(kirk)[5022]: Finished status 0
Jul 21 14:40:51 kanga sftp-server(kirk)[5022]: Read contents of /home/kirk
Jul 21 14:40:53 kanga sftp-server(kirk)[5022]: Finished status 0
Jul 21 14:41:08 kanga sftp-server(kirk)[5022]: Read contents of /
Jul 21 14:41:08 kanga sftp-server(kirk)[5022]: Finished status 0
Jul 21 14:42:40 kanga sftp-server(kirk)[5022]: Opened "/etc/master.passwd" flags 1 mode 0666 status 3
Jul 21 14:42:49 kanga sftp-server(kirk)[5022]: Disconnected

In English:

At 14:38:35, user kirk connected to the SftpServer.
At 14:38:41, kirk successfully downloaded /tmp/foo.
At 14:40:39, kirk requested a directory listing of /tmp.
At 14:40:51, kirk requested a directory listing of /home/kirk.
At 14:41:08, kirk requested a directory listing of /.
At 14:42:40, kirk attempted to open /etc/master.passwd. The status code "3" (nonzero) indicates an error.
At 14:42:49, kirk disconnected.

License

OpenSSH^? is released under a BsdLicense^?. Just for the sake of stating this explicitly:

This code is distributable under the same license terms as OpenSSH^?.

-- KirkStrauser - 21 Jul 2003

META FORM	ClassForm
META FIELD TopicClassification	TopicClassification	SystemSecurity
META FIELD OsVersion	OsVersion	All
META FILEATTACHMENT	sftp-logging.patch	attr="" comment="Initial release" date="1058818216" path="sftp-logging.patch" size="3750" user="KirkStrauser" version="1.1"

View topic | Diffs | r1.1 | More

Revision -
Revision r1.1 - 21 Jul 2003 - 20:11 - KirkStrauser