mwarner1/openssh-udp-logging
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
5 September 2012
Matt Warner
matt at warnertechnology dot com
Attached are the files I altered or created new to enable UDP-based logging in OpenSSH.
USE AT YOUR OWN RISK. NO WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED!
That said, it works for me and I'm not aware of any issues.
WHAT IS IT? WHY DID YOU DO THIS? WHY UDP LOGGING?
I made changes to OpenSSH-6.0p1 to enable logging of events inside of a chrooted environment (I'm running Solaris 10). In my particular case it wasn't possible to create a special device file to give access to syslog (via /dev/log).
When chrooting users, sometimes it's not possible to create special device files via mknod (e.g. the filesystem has nodevices set), and it's a lot of setup work if you have any more than just a few accounts. Using UDP logging means you send the messages via UDP to a syslog server. Yes, that means your syslog daemon may have to be configured to allow remote syslog messages. On Solaris 10, this is in /etc/default/syslogd (LOG_FROM_REMOTE=YES).
IMPORTANT! IMPORTANT! IMPORTANT! PLEASE NOTE: I've also changed session.c to change the requirements on directory tree permissions as part of the changes here. In the original session.c file, OpenSSH required that the directory tree be owned by root. I found that impractical and do not personally see how that provides additional security in my particular case. So I've altered session.c to allow the directories to be owned by root, by the chroot user, or to have the same group as the chroot username. I find this particularly useful if your associated SFTP user account is different than the user account (e.g. jsmithsftp and jsmith) but they belong to the same group. If you do not agree with this behavior, you can safely change this in session.c around line 1450.
You have been warned!
HOW DO I USE THE SOURCE CODE?
Option A
If you have OpenSSH-6.0p1, you can use the file diff.txt and (on Solaris anyway) do this:
cd openssh-6.0p1
patch -p1 < /path/to/diff.txt
Option B
You can simply replace the files in openssh-6.0p1 with the ones here.
NOTE: I do NOT recommend attempting to patch any other versions or subversions with either of these methods. If you want to patch a later release, you need to see what else has changed in the files I've modified.
HOW DO I CONFIGURE THE UDP LOGGING WITH CHROOT?
The example below chroots every user to whatever home directory is defined for them. I chose to do this in an environment where SFTP users were different than normal system users, and SFTP was listening on a different port than standard SSH. The syslog server is specified twice, once for non-chroot, and one for chrooted users.
udpsyslogserver your_syslog_servername_or_ip_address
Match user *
ChrootDirectory /%h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp -f local7 -l VERBOSE -s your_syslog_servername_or_ip_address
IT DOESN'T COMPILE
If you're using another flavor of Unix, you'll need to add in any missing header files. Mac OS X, for example, requires several additional ones.
WHAT'S IN HERE?
Makefile - this is generated by the configure script. I only include it so anyone interested can see where I had to add in udplog.o.
README.txt - This file.
diff.txt - A unified patch created by the patch utility on Solaris
udplog.c - code lifted from the Internet to send UDP messages to a syslog server. Not tested with anything but Solaris' syslog server.
udplog.h - header file for the previous
Modified from OpenSSH-6.0p1:
log.c
log.h
servconf.c
servconf.h
session.c
sftp-server.c
sshd.c
About
UDP logging for OpenSSH-6.0p1 with chrooted users
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published