I'm reporting a problem that I've seen a few times by googling, and there doesn't seem to be a bug report on this yet. When setting up an SFTP-only server, Damien suggested in the OpenBSD journal to use a combination of ChrootDirectory and ForceCommand like this. I've added the sftp subsystem as well since it's required. Subsystem sftp internal-sftp ForceCommand internal-sftp ChrootDirectory /chroot The previous settings work well as documented. However, since internal-sftp doesn't do any logging by default, to enable SFTP logging, this could be used in theory: Subsystem sftp internal-sftp -l VERBOSE ForceCommand internal-sftp ChrootDirectory /chroot That doesn't log anything either, the SFTP connection works but no logging is performed. Just for your information, the jailed /dev/log requirement is met. Let's try this one: Subsystem sftp internal-sftp -l VERBOSE ForceCommand internal-sftp -l VERBOSE ChrootDirectory /chroot With these settings, connection is closed immediately by sshd. Just to illustrate my point, let's run a debug SFTP session with ForceCommand commented out: Subsystem sftp internal-sftp -l VERBOSE #ForceCommand internal-sftp -l VERBOSE ChrootDirectory /chroot This time SFTP works, logs detailed information as expected in the chrooted /dev/log, and gives me this: debug1: subsystem: exec() internal-sftp -l VERBOSE debug1: audit run command euid 0 user ftpitst command 'internal-sftp -l VERBOSE' So far so good. But if I put back ForceCommand in place, it closes the connection immediately and gives me this: debug1: subsystem: exec() internal-sftp -l VERBOSE debug1: Forced command (config) 'internal-sftp -l VERBOSE' debug1: audit run command euid 0 user ftpitst command 'internal-sftp -l VERBOSE' I'll be glad to provide more information if necessary. Thanks
Created attachment 1569 [details] fix forcecommand internal-sftp This patch fixes the problem, it has already been committed and will be in openssh-5.2.
Close bugs fixed/reviewed for openssh-5.2 release