http://sftplogging.sourceforge.net |
|
Main | News | Documentation | Contact Me | About the Author | Download | Links |
NOTICE: 1/31/2007. This patch has been replaced by the sftpfilecontrol patch (http://sftpfilecontrol.sourceforge.net) for openssh versions 4.4p1 and up. If you're using an older version of openssh, please continue to use the sftplogging patch.
Openssh versions 4.4p1 and up provide sftp logging, so this has been taken out of the patch. Server -side control over umask, chown, and chmod functions are still in! Many users, especially those in website development environments, have found this control to be highly valuable. Stock openssh does not provide these features.
This patch is distributed with Hewlett Packard's HP-UX operating system, Mandriva Linux. It used to be provided with Gentoo but they've removed it now that openssh provides logging.
You may apply this patch directly to the openssh source code on most other Unix based OS'es, such as Linux and Solaris.
Dec. 26, 2006: contact information changes. My email address is: sftpfilecontrol@gmail.com.
Nov 7, 2006: openssh-4.4p1.sftplogging-v1.5.patch is HERE!!! Please download it from the download section.
Nov 6, 2006: Still working on it. Sorry it's taking so long, but openssh changed their code (in fact they added logging, but they did not add any control of chown, chmod or umask), and also "patch" seems to have gotten much pickier under Fedora Core 5 ...
Nov 2, 2006: Coming Soon: patch for openssh-4.4p1. I'm working on it and expect to have it ready in a couple of days. Thanks for your patience.
Apr 27, 2006: released patch version 1.5 for all openssh-4.xp.
This version adds a byte count to files transferred so you can caculate the total number of bytes transfered. The log now looks like this:
Apr 27 17:00:35 host sftp-server[2888]: client is not permitted to chown. Apr 27 17:00:35 host sftp-server[2888]: realpath . Apr 27 17:00:39 host sftp-server[2888]: opendir /u/mikem/ Apr 27 17:00:45 host sftp-server[2888]: realpath /u/mikem/temp Apr 27 17:00:53 host sftp-server[2888]: setting file creation mode to 0666 and umask to 22 Apr 27 17:00:53 host sftp-server[2888]: open /u/mikem/temp/somefile.file Apr 27 17:00:53 host sftp-server[2888]: writing 32768 bytes to file Apr 27 17:01:00 host last message repeated 873 times Apr 27 17:01:00 host sftp-server[2888]: writing 9882 bytes to file Apr 27 17:01:07 host sftp-server[2888]: sftp-server finished.In order to calculate the number of bytes transferred in a file, match the process id (2888) and simply add the bytes. In this example, a total of 28649114 bytes were transferred for this file (32768 + (32768 * 873) + 9882). Let me know if this works for you.
Apr 26, 2006: released openssh-4.3p2.sftplogging-v1.4.patch
Mar 1, 2006: released openssh-4.3p1.sftplogging-v1.4.patch
Oct 4, 2005: openssh-4.2p1.sftplogging-v1.4.patch released for the latest version of openssh.
July 15, 2005: openssh-4.1p1.sftplogging-v1.4.patch released for the latest version of openssh.
June 23, 2005: openssh-4.0p1.sftplogging-v1.4.patch released which handles null values in environment variables. use this version if you're compiling on solaris. You may also use it on any other system, if you wish, although not necessary.
May 13, 2005: Hewlett Packard has added this patch to their HP-UX Secure Shell software. See: http://www.docs.hp.com/en/T1471-90014/T1471-90014.pdf and http://docs.hp.com/en/T1471-90014/ch01s02.html Also Gentoo Linux has added it to their distribution.
April 6, 2005: sftplogging-v1.3 available for openssh-4.0p1.
April 6, 2005: sftplogging-v1.3 released. Fixes lack of verifying atoi(getenv()) non-NULL. I recommend using patch version v1.3 instead of previous releases.
January 14, 2005: Contact information has changed for patch maintainer. You may reach me at sftpfilecontrol@gmail.com.
October 21, 2004: sftplogging-v1.2 available for openssh-3.9p1.
September 9, 2004: No longer employed at the U.S. Department of Agriculture. Now working as Engineering Manager at New Mexico Tech: http://www.nmt.edu.
June 22, 2004: sftplogging-v1.2 available for openssh-3.8p1 and openssh-3.8.1p1.
This patch adds the following functionality to openssh:
This patch works with any ftp client that connects to an openssh server. This includes:
Intended Audience
Who Uses this Patch
Example Use of the Sftplogging Patch
I use the patch in a production environment consisting of web development and public
web servers at the United States Department of Agriculture. The patch allows me to
maintain a user based audit trail satisfying compliance with Department mandates for
accountability and security.
Logging FTP Sessions
Logging occurs through syslog. You may specify your choice of facility and loglevel.
You may choose to append the logs to your own custom log file or to the system default
file. Each ftp session is logged. The log begins by identifying the user and specifying
allowable actions such as being able to change the session umask and being able to issue
chown and chgrp commands. File uploads, downloads, directory changes, file deletion, and file
permissions are logged. The end of the session is marked by "sftp-server finished."
Designating a umask
You may optionally designate a umask that overrides any server, client, or environment
umasks. This is useful in cases where you want to enforce a strict file creation mode and
you want to prohibit users from being able to change file permissions on existing files. An
example is a web development server that contains a common folder where many users upload
and modify content.
Allowing and disallowing chown and chgrp
This feature is useful is cases where you want to prohibit ftp clients from changing
ownership of public area files, such as in the web server example in the previous paragraph.
Example Output
Oct 10 11:57:20 vision sftp-server[23768]: Starting sftp-server logging for user kjohnson. Oct 10 11:57:20 vision sftp-server[23768]: umask control is on. Oct 10 11:57:20 vision sftp-server[23768]: client is not permitted to chmod. Oct 10 11:57:20 vision sftp-server[23768]: client is not permitted to chown. Oct 10 11:57:20 vision sftp-server[23768]: realpath . Oct 10 11:57:20 vision sftp-server[23768]: realpath /home/kjohnson/www/ Oct 10 11:57:20 vision sftp-server[23768]: opendir /home/reeusda/www Oct 10 11:58:25 vision sftp-server[23768]: realpath /home/reeusda/www/1700 Oct 10 11:58:25 vision sftp-server[23768]: opendir /home/reeusda/www/1700 Oct 10 11:58:29 vision sftp-server[23768]: realpath /home/reeusda/www/1700/whatnew Oct 10 11:58:29 vision sftp-server[23768]: opendir /home/reeusda/www/1700/whatnew Oct 10 11:58:32 vision sftp-server[23768]: realpath /home/reeusda/www/1700/whatnew/03 Oct 10 11:58:32 vision sftp-server[23768]: opendir /home/reeusda/www/1700/whatnew/03 Oct 10 11:58:38 vision sftp-server[23768]: realpath /home/reeusda/www/1700/whatnew/03 Oct 10 11:58:38 vision sftp-server[23768]: setting file creation mode to 0666 and umask to 2 Oct 10 11:58:38 vision sftp-server[23768]: open /home/reeusda/www/1700/whatnew/03/administrative_officers_mt.htm Oct 10 11:58:38 vision sftp-server[23768]: reading file Oct 10 11:58:38 vision sftp-server[23768]: reading file Oct 10 11:59:01 vision sftp-server[23768]: realpath /home/reeusda/www/1700 Oct 10 11:59:02 vision sftp-server[23768]: setting file creation mode to 0666 and umask to 2 Oct 10 11:59:02 vision sftp-server[23768]: open /home/reeusda/www/1700/newcsrees.htm Oct 10 11:59:02 vision sftp-server[23768]: reading file Oct 10 11:59:02 vision last message repeated 2 times Oct 10 11:59:23 vision sftp-server[23768]: sftp-server finished.
For details, read About the Patch.
If you need help, you may email me here:
This patch is released under the BSD License. The license is available in my download area.
http://sourceforge.net is hosting this site |