In a comparison between OpenSSH and the ssh.com version, a poster noted the logging provided by the ssh.com sftp daemon as a reason to prefer the ssh.com release. This seems like a worthy (and relatively simple) addition. From: "Ric Anderson" <ric@opus1.com> Newsgroups: comp.unix.solaris,comp.security.ssh Subject: Re: OpenSSH3.5p1 vs. Commercial SSH 3.2 I would add (Speaking only of ssh.com 3.2 vs. OpenSSH 3.5p1 using protocol 2): 3. ssh.com's product provides good logging for sftp transfers where OpenSSH provides none.
logging in sftp-server is useless, since it runs as the user. if you want sftp-server to log, recompile with -DTRACE=log
Created attachment 835 [details] Add logging facilities to sftp-server (patch got from mailing list and updated to openssh 3.9p1) Actually a patch has been posted to the mailing list some time ago. http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=101621382229309&w=2 In attachment Jason's patch ported to openssh-3.9p1
Created attachment 1010 [details] openssh-4.2_p1-sftplogging-1.4-gentoo.patch here is an alternative solution to sftp logging ... this comes from http://sftplogging.sf.net/ and contains additional bugfixes from Gentoo this one has the advantage of being a runtime option via sshd_config, however it doesnt log as verbosely as the previous patch ... perhaps the two could be combined though ...
Created attachment 1106 [details] sftp transaction logging This diff implements transaction logging for sftp-server. It adds commandline options to sftp-server to specify the log level and facility (using the same keywords as sshd) and extends sshd's Subsystem command to accept commandline arguments. To see it work, use a subsystem like: Subsystem sftp /usr/libexec/sftp-server -l INFO log level VERBOSE produces as bit more verbiage and the old request TRACE stuff is available at the debug levels. Note that is doesn't do any of the control stuff of the other patch - that can be dealt with separately
Created attachment 1126 [details] revised patch, adding chroot option Here is a revised patch that changes the way the subsystem arguments are processed, adds logging of file handles closed implicitly by a logout or fatal error and adds a chroot option to sftp-server (requires sftp-server to be installed setuid). Note that all of this is still experimental, especially the chroot stuff.
I can not apply both patches : "revised patch, adding chroot option" and "sftp transaction logging". I try to apply it to openssh-4.3p2 (portable version) and cvs version (portable). root@gcc /usr/src/openssh-4.3p2# patch -p0 --dry-run < ../trustix/sources/sftp-server-logging.diff patching file servconf.c Hunk #1 succeeded at 446 with fuzz 1 (offset 35 lines). Hunk #2 succeeded at 866 (offset 5 lines). patching file servconf.h patching file session.c Hunk #1 succeeded at 1774 (offset 356 lines). patching file sftp-server.8 patching file sftp-server.c Hunk #1 succeeded at 30 with fuzz 2 (offset -4 lines). Hunk #2 succeeded at 114 (offset 2 lines). Hunk #3 succeeded at 149 (offset -4 lines). Hunk #4 succeeded at 186 (offset 2 lines). Hunk #5 succeeded at 244 (offset -4 lines). Hunk #6 succeeded at 325 (offset 2 lines). Hunk #7 succeeded at 334 (offset -4 lines). Hunk #8 succeeded at 379 (offset 2 lines). Hunk #9 succeeded at 384 (offset -4 lines). Hunk #10 succeeded at 405 (offset 2 lines). Hunk #11 succeeded at 414 (offset -4 lines). Hunk #12 succeeded at 437 (offset 2 lines). Hunk #13 succeeded at 448 (offset -4 lines). Hunk #14 succeeded at 487 (offset 2 lines). Hunk #15 succeeded at 506 (offset -4 lines). Hunk #16 succeeded at 532 (offset 2 lines). Hunk #17 succeeded at 548 (offset -4 lines). Hunk #18 succeeded at 569 (offset 2 lines). Hunk #19 succeeded at 584 (offset -4 lines). Hunk #20 succeeded at 627 (offset 2 lines). Hunk #21 succeeded at 661 (offset -4 lines). Hunk #22 FAILED at 707. Hunk #23 succeeded at 778 (offset 16 lines). Hunk #24 succeeded at 789 (offset -4 lines). Hunk #25 succeeded at 864 (offset 16 lines). Hunk #26 succeeded at 865 (offset -4 lines). Hunk #27 succeeded at 902 (offset 16 lines). Hunk #28 succeeded at 903 (offset -4 lines). Hunk #29 succeeded at 947 (offset 16 lines). Hunk #31 succeeded at 1024 (offset 16 lines). Hunk #32 succeeded at 1047 with fuzz 2. Hunk #33 FAILED at 1123. Hunk #34 succeeded at 1253 (offset 22 lines). Hunk #36 succeeded at 1279 (offset 22 lines). 2 out of 36 hunks FAILED -- saving rejects to file sftp-server.c.rej patching file sshd_config.5 Hunk #1 FAILED at 636. 1 out of 1 hunk FAILED -- saving rejects to file sshd_config.5.rej --- root@gcc /usr/src/openssh-4.3p2# patch -p0 --dry-run < ../trustix/sources/sftp-server-logging3.diff patching file misc.c Hunk #1 FAILED at 31. Hunk #2 succeeded at 447 (offset -10 lines). 1 out of 2 hunks FAILED -- saving rejects to file misc.c.rej patching file misc.h Hunk #1 succeeded at 43 (offset -3 lines). patching file servconf.c Hunk #1 succeeded at 907 (offset 40 lines). patching file servconf.h patching file session.c Hunk #1 FAILED at 82. Hunk #2 succeeded at 336 (offset -5 lines). Hunk #4 succeeded at 454 with fuzz 1 (offset 35 lines). Hunk #5 succeeded at 483 (offset 32 lines). Hunk #6 succeeded at 542 with fuzz 1 (offset 53 lines). Hunk #7 succeeded at 596 (offset 67 lines). Hunk #8 succeeded at 610 (offset 57 lines). Hunk #9 succeeded at 1375 (offset 321 lines). Hunk #10 succeeded at 1285 (offset 84 lines). Hunk #11 succeeded at 1752 (offset 321 lines). Hunk #12 succeeded at 1577 (offset 84 lines). Hunk #13 succeeded at 1824 (offset 321 lines). 1 out of 13 hunks FAILED -- saving rejects to file session.c.rej patching file sftp-server.8 patching file sftp-server.c Hunk #1 succeeded at 22 (offset -4 lines). Hunk #2 succeeded at 35 with fuzz 2. Hunk #3 succeeded at 111 (offset -2 lines). Hunk #5 succeeded at 183 (offset -2 lines). Hunk #7 succeeded at 296 (offset -2 lines). Hunk #9 succeeded at 362 (offset -2 lines). Hunk #11 succeeded at 412 (offset -2 lines). Hunk #13 succeeded at 442 (offset -2 lines). Hunk #15 succeeded at 476 (offset -2 lines). Hunk #17 succeeded at 529 (offset -2 lines). Hunk #19 succeeded at 571 (offset -2 lines). Hunk #21 succeeded at 607 (offset -2 lines). Hunk #23 succeeded at 684 (offset -2 lines). Hunk #24 FAILED at 730. Hunk #25 succeeded at 797 (offset 14 lines). Hunk #26 succeeded at 812 (offset -2 lines). Hunk #27 succeeded at 883 (offset 14 lines). Hunk #28 succeeded at 888 (offset -2 lines). Hunk #29 succeeded at 921 (offset 14 lines). Hunk #30 succeeded at 926 (offset -2 lines). Hunk #31 succeeded at 966 (offset 14 lines). Hunk #32 succeeded at 1006 (offset 2 lines). Hunk #33 succeeded at 1043 (offset 14 lines). Hunk #34 succeeded at 1070 with fuzz 2 (offset 2 lines). Hunk #35 FAILED at 1146. Hunk #36 succeeded at 1323 (offset 20 lines). Hunk #37 succeeded at 1316 (offset 2 lines). Hunk #38 succeeded at 1349 (offset 20 lines). 2 out of 38 hunks FAILED -- saving rejects to file sftp-server.c.rej patching file sshd_config.5 Hunk #1 FAILED at 644. 1 out of 1 hunk FAILED -- saving rejects to file sshd_config.5.rej can't find file to patch at input line 1146 Perhaps you used the wrong -p or --strip option? The text leading up to this was: -------------------------- |Index: sftp-server/Makefile |=================================================================== |RCS file: /cvs/src/usr.bin/ssh/sftp-server/Makefile,v |retrieving revision 1.6 |diff -u -p -r1.6 Makefile |--- sftp-server/Makefile 18 Apr 2006 10:44:28 -0000 1.6 |+++ sftp-server/Makefile 25 Apr 2006 08:36:12 -0000 -------------------------- File to patch: ^C Which tree of sources I should get for it or where I wrong?
sftp transaction logging has just been committed and will be in openssh-4.4
oops, mark this FIXED
With the release of 4.4, we believe that this bug is now closed. For information about the release please see http://www.openssh.com/txt/release-4.4 .