I have a Red Hat 5.4 server with openssh OpenSSH_4.3p2 and have been trying to setup scp/sftp logs in my server, but I am running into some problems.
I followed the directions in this other post. These work great if the users choose to transfer files using pscp or an SFTP client such as cyberduck, filezilla, winscp, etc. In such cases I am able to know the directory tree that was navigated.
However, if the users choose to do rsync (with scp as protocol) or if they call the scp command explicitly, the only thing that gets logged is event of login/logout. The actual tree navigated to transfer the files does not show up in the log trail.
Is there a way to disable scp while still allowing sftp ? Or is there a way to force scp commands to behave as sftp ?
Maybe this problem does not exist in more recent openssh ports. However, since Red Hat will not release further updates for my 5.4 OS version (and we don't want to upgrade the server) I am stuck with what I have.
Any suggestions ?
Best Answer
I'm not sure about logging of SCP. I had a look into this. Allscp
does is callscp
at the other end in a slightly different mode.sshd
should be able to log what it execs. From the code it looks likesshd
needsLogLevel=DEBUG
to write the exec but that's not outputting for me at DEBUG or any higher level (6.1p1). Unfortunately oncesshd
has executed something the running binary can do whatever it wants underneath, so it would help if the binary also implemented logging. There's no real logging inscp
so that would need a patch of some sorts.This immediately leads my brain to a hack of writing a wrapper for
scp
to at least get some information.Then put the following in
/usr/bin/scp
The script would get wiped out by releases though and it is a little dodgy. You only really see one side of the scp command which can be a bit brief (e.g
scp -r user@host:/home/user/ ./
is-r -f /home/matt/
on the host)It's also worth noting that if people have shell access they can copy whatever they want without using scp or sftp.
< end edit >
It's is possible to force a
Subsytem
onto a login. The following is for members of the groupsftponly
that I want to only be able to sftp to a specific chroot location so their users have a shell of/usr/sbin/nologin
. I don't think you'll need the more thanForceCommand
in sshd config.Hopefully you can append your logging and you're away.