Use v1.4. Don't use previous versions. -------------------- Install instructions: -------------------- 1. download and expand openssh-x.x(.x)px source 2. download the patch and put it in the parent diretory of the openssh source directory 3. run "patch -p0 < openssh-x.x(.x)p.x.sftplogging.patch" 4. compile and install openssh -------------------- Instructions on how to make the chroot-ssh patch + sftplogging patch to work: (thanks to David Gianndrea) * Please note that I do not use the chrootssh patch, so I have not tested these instructions, but they seem to make sense. -M. Martinez -------------------- Instructions for building openssh with the sftplogging patch, and chroot. I built this on a Sunfire v210 running solaris 9. My configuration requires uploading data to the incoming directory from users all over the internet using multi-user accounts, but the same chroot. Download the chroot patch from... http://chrootssh.sourceforge.net/index.php Download the sftplogging patch from... http://sftplogging.sourceforge.net/ *** *NOTE USE GNU PATCH, AND NOT SOLARIS PATCH* *** Untar the openssh source in a work directory, and place the patches in the same directory. *NOT IN THE SOURCE DIRECTORY* Run patch -p0 < $name_of_the_patch for each patch. I ran the chroot patch first, then did the sftplogging patch. Change directory to the source, and run configure. ./configure \ --prefix=/usr/local/openssh-3.9p1-sftplogging-v1.2-chroot \ --with-ssl-dir=/usr/local/ssl \ --with-privsep-user=sshd Then run make, and then make install. Change directory to $INSTALL_DIR/etc and configure the sshd_config for your site. Next create the chroot directory, and place all required libs, devices, and programs. Files under /usr/platform will depend on the machine your using. Use ldd, and truss to figure it out. Copy the sftp-server from $INSTALL_DIR/libexec to the chroot directory /export/home1/chroot/sftpuser-prod/usr/local/openssh/libexec. * NO DIRECTORYS OR FILES SHOULD BE WRITEABLE EXCEPT FOR INCOMING* * ROOT SHOULD BE THE OWNER AND GROUP OF EVERYTHING EXECPT FOR DEVICES WHERE THE GRP IS SYS * /export/home1/chroot/sftpuser-prod ls -l dr-xr-xr-x 2 root root 512 Oct 26 14:37 bin dr-xr-xr-x 2 root root 512 Oct 27 16:22 dev dr-xr-xr-x 3 root root 512 Oct 27 09:34 devices dr-xr-xr-x 2 root root 512 Oct 22 13:58 etc dr-xr-x-wx 2 root root 512 Oct 26 17:07 incoming dr-xr-xr-x 2 root root 512 Oct 15 13:53 lib dr-xr-xr-x 5 root root 512 Oct 26 09:49 usr find . ./etc ./etc/passwd ./etc/group ./lib ./lib/ld.so ./incoming ./devices ./devices/pseudo ./devices/pseudo/log@0:log ./devices/pseudo/mm@0:zero ./devices/pseudo/mm@0:null ./devices/pseudo/log@0:conslog ./usr ./usr/local ./usr/local/openssh ./usr/local/openssh/libexec ./usr/local/openssh/libexec/sftp-server ./usr/local/ssl ./usr/local/ssl/lib ./usr/local/ssl/lib/libcrypto.so.0.9.7 ./usr/local/lib ./usr/local/lib/libgcc_s.so.1 ./usr/lib ./usr/lib/libresolv.so.2 ./usr/lib/librt.so.1 ./usr/lib/libz.so.1 ./usr/lib/libsocket.so.1 ./usr/lib/libnsl.so.1 ./usr/lib/libc.so.1 ./usr/lib/libdl.so.1 ./usr/lib/libaio.so.1 ./usr/lib/libmd5.so.1 ./usr/lib/libmp.so.2 ./usr/lib/ld.so.1 ./usr/lib/libgen.so.1 ./usr/platform ./usr/platform/SUNW,UltraAX-i2 ./usr/platform/SUNW,UltraAX-i2/lib ./usr/platform/SUNW,UltraAX-i2/lib/libc_psr.so.1 ./usr/platform/SUNW,UltraAX-i2/lib/libmd5_psr.so.1 ./dev ./dev/null ./dev/log ./dev/zero ./dev/conslog ./bin ./bin/sh # cd ./devices/pseudo # ls -l crw-rw-rw- 1 root sys 21, 0 Oct 27 15:57 log@0:conslog crw-r----- 1 root sys 21, 5 Oct 27 13:10 log@0:log crw-rw-rw- 1 root sys 13, 2 Oct 27 12:53 mm@0:null crw-rw-rw- 1 root sys 13, 12 Oct 27 12:53 mm@0:zero # cd ../../dev # ls -l lrwxrwxrwx 1 root other 31 Oct 27 16:28 conslog -> ../devices/pseudo/log@0:conslog lrwxrwxrwx 1 root other 27 Oct 27 16:28 log -> ../devices/pseudo/log@0:log lrwxrwxrwx 1 root other 27 Oct 27 16:28 null -> ../devices/pseudo/mm@0:null lrwxrwxrwx 1 root other 27 Oct 27 16:28 zero -> ../devices/psuedo/mm@0:zero Next create the chrooted user account in the system passwd file. * NOTE THE "." IN THE HOME DIR PATH AND THE SHELL!* /etc/passwd sftpuser:x:1006:10:Default SFTP user Account:/export/home1/chroot/sftpuser-prod/./:/usr/local/openssh/libexec/sftp-server Next create the chrooted user account in the in the chroot passwd, and group files. /export/home1/chroot/sftpuser-prod/etc/passwd sftpuser:x:1006:10::/:/usr/local/openssh/libexec/sftp-server /export/home1/chroot/sftpuser-prod/etc/group staff::10: -------------------- Tips on using with the chroot-ssh and chroot-sftp-server patches. Other users have reported the following to work: -------------------- Sftplogging needs to use the system syslog. Syslogd needs a "/dev/log" in order to function. If you're running sftplogging in a chroot environment, and your sshd_config has "LogSftp yes" then you will need to do the following: 1. make a /path/to/chroot/dev/log 2. run syslogd -a /path/to/chroot/dev/log -------------------- Supported Platforms -------------------- This patch ought to work on any Unix system. I personally verified this patch on: Redhat Linux 7.1 Redhat Linux 7.2 Redhat Linux 7.3 Redhat Linux 8.0 Redhat Linux Fedora Core 2 Redhat Linux Enterprise Server 2.1 Redhat Linux Advanced Server 2.1 Redhat Linux Advanced Server 3 Other users report that it works on the following systems: Solaris 8, gnu 2.5.4 GNU/Linux, gcc2.96, glibc2.2.4-19, Intel Celeron FreeBSD 5.1 HP-UX