Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Modifications to sshd and sftp-server: new functionality

26 views
Skip to first unread message

news.verizon.net

unread,
Feb 2, 2003, 7:54:41 AM2/2/03
to
Guys -

I'm a sysadmin for USDA in D.C.. I run a web development server which offers
secure ftp for our web content developers. I am using sftp-server with
openssh. I noticed a lack of functionality in a couple of areas. First, I
wanted to be able to log ftp transactions on a per-user basis (file removal,
modification, creation). Second, I wanted to have control over the umask and
file ownership and permissions. The permission modes are defined by the
sftp-client, unless the client does not specify it, in which case the
permissions are hard-coded into the server. In our particular case this was
not sufficient because we want control on the server-side and we don't want
clients able to change file ownership or permissions.

I modified openssh. There's six new directives
that you can use in sshd_config:

SftpLog
SftpLogFacility
SftpLogLevel
SftpUmask
SftpPermitChmod
SftpPermitChown

A sample of the system log appears as follows:

Feb 1 19:48:21 sftp-server[19327]: Starting sftp-server logging for
user michael.
Feb 1 19:48:21 sftp-server[19327]: umask control is on.
Feb 1 19:48:21 sftp-server[19327]: client is not permitted to chmod.
Feb 1 19:48:21 sftp-server[19327]: client is not permitted to chown.
Feb 1 19:48:21 sftp-server[19327]: realpath .
Feb 1 19:48:27 sftp-server[19327]: opendir /home/michael
Feb 1 19:48:31 sftp-server[19327]: realpath /home/michael/suwrap
Feb 1 19:48:34 sftp-server[19327]: sftp-server finished.

I communicated these changes and sent my code mods to Markus Friedl. He
disagrees with the way I implemented this: I should have made all mods to
just sftp-server subsystem and created a new config file ("sftp_config"), in
order to keep the subsystem separate from sshd.

That sounds reasonable. When I get some time I'll make the changes, unless
someone else wants to do it. In the meantime, this patch is available from
myself for anyone who wants to use it. If you need to log ftp transactions
or have control over umask and file modes, then feel free to contact me.
There's no platform-specific stuff in these modifications, so if you can
compile openssh-3.5p1 on your system, then you'll have no problem compiling
this patch.

Contact me at:

michael.m...@verizon.net
or
mmar...@reeusda.gov

Disclaimer: I took it upon myself to make these modifications, in order to
make my job easier. I'm using it on my servers at work and am happy with it.
But this patch is not endorsed by the contractor I work for, by USDA, or by
the openssh developers. I'm providing it on an "as-is" basis with no
warranty, guarantee, etc. Use at your own discretion. If your system crashes
or you get hacked because I have failed to provide adequate security, it's
your problem.

--
Michael


Carlo Wise

unread,
Feb 2, 2003, 9:40:56 AM2/2/03
to

Michael,

I ilke the idea of what you did. I agree with you that the capability
to monitor activity and control it on sftp is a nice feature. I am in
the process of settgin up SSH and sftp on my server at home so I may
just use it since I am settign up access to it for fellow employees
also. Thanks!

Carlo Wise

Nico Kadel-Garcia

unread,
Feb 2, 2003, 9:43:36 AM2/2/03
to

"Carlo Wise" <cw...@hotmail.com> wrote in message
news:3E3D2E0B...@hotmail.com...
> news.verizon.net wrote:

> > I modified openssh. There's six new directives
> > that you can use in sshd_config:
> >
> > SftpLog
> > SftpLogFacility
> > SftpLogLevel
> > SftpUmask
> > SftpPermitChmod
> > SftpPermitChown

I *like* it. Can you publish a direct link to the patch? And please tell me
that you're publishing MD5's and PGP signatures for it?


0 new messages