http://sftplogging.sourceforge.net

Main | News | Documentation | Contact Me | About the Author | Download | Links

NOTICE: 1/31/2007. This patch has been replaced by the sftpfilecontrol patch (http://sftpfilecontrol.sourceforge.net) for openssh versions 4.4p1 and up. If you're using an older version of openssh, please continue to use the sftplogging patch.

Openssh versions 4.4p1 and up provide sftp logging, so this has been taken out of the patch. Server -side control over umask, chown, and chmod functions are still in! Many users, especially those in website development environments, have found this control to be highly valuable. Stock openssh does not provide these features.

This patch is distributed with Hewlett Packard's HP-UX operating system, Mandriva Linux. It used to be provided with Gentoo but they've removed it now that openssh provides logging.

You may apply this patch directly to the openssh source code on most other Unix based OS'es, such as Linux and Solaris.

Dec. 26, 2006: contact information changes. My email address is: sftpfilecontrol@gmail.com.

Nov 7, 2006: openssh-4.4p1.sftplogging-v1.5.patch is HERE!!! Please download it from the download section.

Nov 6, 2006: Still working on it. Sorry it's taking so long, but openssh changed their code (in fact they added logging, but they did not add any control of chown, chmod or umask), and also "patch" seems to have gotten much pickier under Fedora Core 5 ...

Nov 2, 2006: Coming Soon: patch for openssh-4.4p1. I'm working on it and expect to have it ready in a couple of days. Thanks for your patience.

Apr 27, 2006: released patch version 1.5 for all openssh-4.xp.
This version adds a byte count to files transferred so you can caculate the total number of bytes transfered. The log now looks like this:

Apr 27 17:00:35 host sftp-server[2888]: client is not permitted to chown.
Apr 27 17:00:35 host sftp-server[2888]: realpath .
Apr 27 17:00:39 host sftp-server[2888]: opendir /u/mikem/
Apr 27 17:00:45 host sftp-server[2888]: realpath /u/mikem/temp
Apr 27 17:00:53 host sftp-server[2888]: setting file creation mode to 0666 and umask to 22
Apr 27 17:00:53 host sftp-server[2888]: open /u/mikem/temp/somefile.file
Apr 27 17:00:53 host sftp-server[2888]: writing 32768 bytes to file
Apr 27 17:01:00 host last message repeated 873 times
Apr 27 17:01:00 host sftp-server[2888]: writing 9882 bytes to file
Apr 27 17:01:07 host sftp-server[2888]: sftp-server finished.
In order to calculate the number of bytes transferred in a file, match the process id (2888) and simply add the bytes. In this example, a total of 28649114 bytes were transferred for this file (32768 + (32768 * 873) + 9882). Let me know if this works for you.

Apr 26, 2006: released openssh-4.3p2.sftplogging-v1.4.patch

Mar 1, 2006: released openssh-4.3p1.sftplogging-v1.4.patch

Oct 4, 2005: openssh-4.2p1.sftplogging-v1.4.patch released for the latest version of openssh.

July 15, 2005: openssh-4.1p1.sftplogging-v1.4.patch released for the latest version of openssh.

June 23, 2005: openssh-4.0p1.sftplogging-v1.4.patch released which handles null values in environment variables. use this version if you're compiling on solaris. You may also use it on any other system, if you wish, although not necessary.

May 13, 2005: Hewlett Packard has added this patch to their HP-UX Secure Shell software. See: http://www.docs.hp.com/en/T1471-90014/T1471-90014.pdf and http://docs.hp.com/en/T1471-90014/ch01s02.html Also Gentoo Linux has added it to their distribution.

April 6, 2005: sftplogging-v1.3 available for openssh-4.0p1.

April 6, 2005: sftplogging-v1.3 released. Fixes lack of verifying atoi(getenv()) non-NULL. I recommend using patch version v1.3 instead of previous releases.

January 14, 2005: Contact information has changed for patch maintainer. You may reach me at sftpfilecontrol@gmail.com.

October 21, 2004: sftplogging-v1.2 available for openssh-3.9p1.

September 9, 2004: No longer employed at the U.S. Department of Agriculture. Now working as Engineering Manager at New Mexico Tech: http://www.nmt.edu.

June 22, 2004: sftplogging-v1.2 available for openssh-3.8p1 and openssh-3.8.1p1.

This patch adds the following functionality to openssh:

This patch works with any ftp client that connects to an openssh server. This includes:

... and many more.

Intended Audience

Who Uses this Patch

Example Use of the Sftplogging Patch
I use the patch in a production environment consisting of web development and public web servers at the United States Department of Agriculture. The patch allows me to maintain a user based audit trail satisfying compliance with Department mandates for accountability and security.

Logging FTP Sessions
Logging occurs through syslog. You may specify your choice of facility and loglevel. You may choose to append the logs to your own custom log file or to the system default file. Each ftp session is logged. The log begins by identifying the user and specifying allowable actions such as being able to change the session umask and being able to issue chown and chgrp commands. File uploads, downloads, directory changes, file deletion, and file permissions are logged. The end of the session is marked by "sftp-server finished."

Designating a umask
You may optionally designate a umask that overrides any server, client, or environment umasks. This is useful in cases where you want to enforce a strict file creation mode and you want to prohibit users from being able to change file permissions on existing files. An example is a web development server that contains a common folder where many users upload and modify content.

Allowing and disallowing chown and chgrp
This feature is useful is cases where you want to prohibit ftp clients from changing ownership of public area files, such as in the web server example in the previous paragraph.

Example Output

	Oct 10 11:57:20 vision sftp-server[23768]: Starting sftp-server logging for user kjohnson.
	Oct 10 11:57:20 vision sftp-server[23768]: umask control is on.
	Oct 10 11:57:20 vision sftp-server[23768]: client is not permitted to chmod.
	Oct 10 11:57:20 vision sftp-server[23768]: client is not permitted to chown.
	Oct 10 11:57:20 vision sftp-server[23768]: realpath .
	Oct 10 11:57:20 vision sftp-server[23768]: realpath /home/kjohnson/www/
	Oct 10 11:57:20 vision sftp-server[23768]: opendir /home/reeusda/www
	Oct 10 11:58:25 vision sftp-server[23768]: realpath /home/reeusda/www/1700
	Oct 10 11:58:25 vision sftp-server[23768]: opendir /home/reeusda/www/1700
	Oct 10 11:58:29 vision sftp-server[23768]: realpath /home/reeusda/www/1700/whatnew
	Oct 10 11:58:29 vision sftp-server[23768]: opendir /home/reeusda/www/1700/whatnew
	Oct 10 11:58:32 vision sftp-server[23768]: realpath /home/reeusda/www/1700/whatnew/03
	Oct 10 11:58:32 vision sftp-server[23768]: opendir /home/reeusda/www/1700/whatnew/03
	Oct 10 11:58:38 vision sftp-server[23768]: realpath /home/reeusda/www/1700/whatnew/03
	Oct 10 11:58:38 vision sftp-server[23768]: setting file creation mode to 0666 and umask to 2
	Oct 10 11:58:38 vision sftp-server[23768]: open /home/reeusda/www/1700/whatnew/03/administrative_officers_mt.htm
	Oct 10 11:58:38 vision sftp-server[23768]: reading file
	Oct 10 11:58:38 vision sftp-server[23768]: reading file
	Oct 10 11:59:01 vision sftp-server[23768]: realpath /home/reeusda/www/1700
	Oct 10 11:59:02 vision sftp-server[23768]: setting file creation mode to 0666 and umask to 2
	Oct 10 11:59:02 vision sftp-server[23768]: open /home/reeusda/www/1700/newcsrees.htm
	Oct 10 11:59:02 vision sftp-server[23768]: reading file
	Oct 10 11:59:02 vision last message repeated 2 times
	Oct 10 11:59:23 vision sftp-server[23768]: sftp-server finished.

For details, read About the Patch.

If you need help, you may email me here:

This patch is released under the BSD License. The license is available in my download area.

http://sourceforge.net is hosting this site