Support an SSH error log

epriestley · epriestley · commit 10162ad43bc4 · 2021-02-26T14:54:54.000-08:00
Summary: Ref T13624. Depends on D21578. In "sshd" subprocess contexts, use "PhutilErrorLog" to direct errors to both stderr and, if configured, a logfile on disk. Test Plan: - Confiugured an error log. - Forced `ssh-auth` to fatal. - Saw errors on stderr and in log. Maniphest Tasks: T13624 Differential Revision: https://secure.phabricator.com/D21579
diff --git a/scripts/ssh/ssh-auth.php b/scripts/ssh/ssh-auth.php
@@ -4,6 +4,11 @@
 $root = dirname(dirname(dirname(__FILE__)));
 require_once $root.'/scripts/init/init-script.php';
 
+$error_log = id(new PhutilErrorLog())
+  ->setLogName(pht('SSH Error Log'))
+  ->setLogPath(PhabricatorEnv::getEnvConfig('log.ssh-error.path'))
+  ->activateLog();
+
 // TODO: For now, this is using "parseParital()", not "parse()". This allows
 // the script to accept (and ignore) additional arguments. This preserves
 // backward compatibility until installs have time to migrate to the new
diff --git a/scripts/ssh/ssh-exec.php b/scripts/ssh/ssh-exec.php
@@ -4,7 +4,12 @@
 $ssh_start_time = microtime(true);
 
 $root = dirname(dirname(dirname(__FILE__)));
-require_once $root.'/scripts/__init_script__.php';
+require_once $root.'/scripts/init/init-script.php';
+
+$error_log = id(new PhutilErrorLog())
+  ->setLogName(pht('SSH Error Log'))
+  ->setLogPath(PhabricatorEnv::getEnvConfig('log.ssh-error.path'))
+  ->activateLog();
 
 $ssh_log = PhabricatorSSHLog::getLog();
 
diff --git a/src/applications/config/option/PhabricatorAccessLogConfigOptions.php b/src/applications/config/option/PhabricatorAccessLogConfigOptions.php
@@ -116,6 +116,20 @@ public function getOptions() {
         ->setLocked(true)
         ->setSummary(pht('SSH log format.'))
         ->setDescription($ssh_desc),
+      $this->newOption('log.ssh-error.path', 'string', null)
+        ->setLocked(true)
+        ->setSummary(pht('SSH error log location.'))
+        ->setDescription(
+          pht(
+            'To enable the Phabricator SSH error log, specify a path. Errors '.
+            'occurring in contexts where Phabricator is serving SSH requests '.
+            'will be written to this log.'.
+            "\n\n".
+            'If not set, no log will be written.'))
+        ->addExample(null, pht('Disable SSH error log.'))
+        ->addExample(
+          '/var/log/phabricator/ssh-error.log',
+          pht('Write SSH error log here.')),
     );
   }
 
