OpenSSH versions 4.4p1 and up (which should include the latest version with CentOS 5) have SFTP logging capability built in - you just need to configure it.
Find this in your sshd_config (in centos, file /etc/ssh/sshd_config):
Subsystem sftp /usr/libexec/openssh/sftp-server
and change it to:
Subsystem sftp /usr/libexec/openssh/sftp-server -l INFO
INFO is just one level of detail over what you're seeing by default - it provides detailed information regarding file transfers, permission changes, etc. If you need more info, you can adjust the log level accordingly. The various levels (in order of detail) are:
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3
Anything over VERBOSE is probably more information than you're looking for, but it might be useful.
Finally restart the SSH service to update the changes (centos):
systemctl restart sshd
As I understand you have (at least for this particular problem) two distinct groups of users, one being able to login via SSH and get an interactive shell (let's call the group ssh
) and one being able to login via SFTP and only get an SFTP shell (let's call the group sftp
).
Now create the groups ssh
and sftp
on your system with groupadd
, put the respective users in the groups (gpasswd -a $USERNAME $GROUPNAME
) and append the following lines at the end (this is important!) of your sshd_config
located at /etc/ssh/sshd_config
:
Match Group sftp
PasswordAuthentication yes
# Further directives for users in the "sftp" group
Match Group ssh
PasswordAuthentication no
# Further directives for users in the "ssh" group
Read about the Match
directive in sshd_config(5) and about the allowed patterns in ssh_config(5).
You'll also have to restart the ssh
process for this to take effect:
sudo /etc/init.d/ssh restart
Best Answer
While TCP port 22 is the general right answer, this is dependent on the fact that SSH is configured to use the standard port and not an alternative port.
As SFTP runs as a subsystem of SSH it runs on whatever port the SSH daemon is listening on and that is administrator configurable.