Logging with ForceCommand and SCP
909 views
Skip to first unread message
Oliver Graute
Mar 8, 2017, 5:55:41 AM3/8/17
to openssh-...@mindrot.org
Hello List,
I'am using the ForceCommand in my sshd configuration to log all the user
actions on my device.
ForceCommand /usr/bin/log-session.sh
The Log Session Script itself is working fine for logging.
But now I want also use SCP to copy files and this won't work together
with the ForceCommand above.
The copied file is created but its zero byte on the target.
scp file.tar.gz ssh-...@192.168.1.229:/home/ssh-user/
Enter passphrase for key '/home/user/.ssh/id_ecdsa':
C0664 28508 file.tar.gz
-rw-r--r-- 1 ssh-user ssh-user 0 Mar 8 10:52 file.tar.gz
Some ideas whats the reason for this behavior?
Best regards,
Oliver
#!/bin/sh
#
# log-session
# John Simpson <jm...@jms1.net> 2008-08-06
#
###############################################################################
#
# Copyright (C) 2008 John Simpson.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License, version 3, as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
###############################################################################
#
# configuration
# copy this value from the "Subsystem sftp" line in your sshd_config file
SFTP_SERVER=/usr/lib/openssh/sftp-server
###############################################################################
###############################################################################
###############################################################################
value=`cat /data/etc/ssh/umask.cfg`
umask "$value"
NOW=`date +%Y-%m-%d.%H%M%S`
IP=`echo $SSH_CLIENT | sed 's/ .*//'`
LOGFILE=/data/var/sshlog/sshlog.$NOW.$IP
# if you want to log the initial contents of the environment received from
# sshd, un-comment these lines.
#
# env | sort >> $LOGFILE
# echo "========================================" >> $LOGFILE
# the "internal-sftp" service is new as of openssh 5.0. it works like
# the sftp server logic is built into sshd, and as such it's capable of
# chroot'ing users into their home directories.
# there's no way to "redirect" execution back into it, so the best we
# can do is exec the old sftp-server instead, which will give the user a
# working sftp session, but won't chroot them into their home directory.
if [ "${SSH_ORIGINAL_COMMAND:-}" = "internal-sftp" ]
then
echo "substituting $SFTP_SERVER for internal SFTP service" >> $LOGFILE
echo "========================================" >> $LOGFILE
exec $SFTP_SERVER
# if they're requesting the sftp server, this is an sftp command.
# logging the traffic wouldn't make much sense, it's a binary protocol...
# although if you really want to log the raw data, comment out this block
# and let execution fall through to the next block.
elif [ "${SSH_ORIGINAL_COMMAND:-}" = "$SFTP_SERVER" ]
then
echo starting SFTP service >> $LOGFILE
echo ======================================== >> $LOGFILE
exec $SFTP_SERVER
# if the user asked for a specific command, run that command
# but log the traffic going into and out of it.
elif [ -n "${SSH_ORIGINAL_COMMAND:-}" ]
then
echo executing $SSH_ORIGINAL_COMMAND >> $LOGFILE
echo ======================================== >> $LOGFILE
exec script -a -f -q -c "$SSH_ORIGINAL_COMMAND" $LOGFILE
# no command was requested, user wants an interactive shell.
# of course, log the traffic going in and out of it.
else
echo starting interactive shell session >> $LOGFILE
echo ======================================== >> $LOGFILE
exec script -a -f -q $LOGFILE
fi
# if we get to this point, an "exec" failed somewhere.
echo exec failed, rv=$?
exit 1
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
I'am using the ForceCommand in my sshd configuration to log all the user
actions on my device.
ForceCommand /usr/bin/log-session.sh
The Log Session Script itself is working fine for logging.
But now I want also use SCP to copy files and this won't work together
with the ForceCommand above.
The copied file is created but its zero byte on the target.
scp file.tar.gz ssh-...@192.168.1.229:/home/ssh-user/
Enter passphrase for key '/home/user/.ssh/id_ecdsa':
C0664 28508 file.tar.gz
-rw-r--r-- 1 ssh-user ssh-user 0 Mar 8 10:52 file.tar.gz
Some ideas whats the reason for this behavior?
Best regards,
Oliver
#!/bin/sh
#
# log-session
# John Simpson <jm...@jms1.net> 2008-08-06
#
###############################################################################
#
# Copyright (C) 2008 John Simpson.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License, version 3, as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
###############################################################################
#
# configuration
# copy this value from the "Subsystem sftp" line in your sshd_config file
SFTP_SERVER=/usr/lib/openssh/sftp-server
###############################################################################
###############################################################################
###############################################################################
value=`cat /data/etc/ssh/umask.cfg`
umask "$value"
NOW=`date +%Y-%m-%d.%H%M%S`
IP=`echo $SSH_CLIENT | sed 's/ .*//'`
LOGFILE=/data/var/sshlog/sshlog.$NOW.$IP
# if you want to log the initial contents of the environment received from
# sshd, un-comment these lines.
#
# env | sort >> $LOGFILE
# echo "========================================" >> $LOGFILE
# the "internal-sftp" service is new as of openssh 5.0. it works like
# the sftp server logic is built into sshd, and as such it's capable of
# chroot'ing users into their home directories.
# there's no way to "redirect" execution back into it, so the best we
# can do is exec the old sftp-server instead, which will give the user a
# working sftp session, but won't chroot them into their home directory.
if [ "${SSH_ORIGINAL_COMMAND:-}" = "internal-sftp" ]
then
echo "substituting $SFTP_SERVER for internal SFTP service" >> $LOGFILE
echo "========================================" >> $LOGFILE
exec $SFTP_SERVER
# if they're requesting the sftp server, this is an sftp command.
# logging the traffic wouldn't make much sense, it's a binary protocol...
# although if you really want to log the raw data, comment out this block
# and let execution fall through to the next block.
elif [ "${SSH_ORIGINAL_COMMAND:-}" = "$SFTP_SERVER" ]
then
echo starting SFTP service >> $LOGFILE
echo ======================================== >> $LOGFILE
exec $SFTP_SERVER
# if the user asked for a specific command, run that command
# but log the traffic going into and out of it.
elif [ -n "${SSH_ORIGINAL_COMMAND:-}" ]
then
echo executing $SSH_ORIGINAL_COMMAND >> $LOGFILE
echo ======================================== >> $LOGFILE
exec script -a -f -q -c "$SSH_ORIGINAL_COMMAND" $LOGFILE
# no command was requested, user wants an interactive shell.
# of course, log the traffic going in and out of it.
else
echo starting interactive shell session >> $LOGFILE
echo ======================================== >> $LOGFILE
exec script -a -f -q $LOGFILE
fi
# if we get to this point, an "exec" failed somewhere.
echo exec failed, rv=$?
exit 1
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Oliver Graute
Mar 15, 2017, 6:40:04 AM3/15/17
to openssh-...@mindrot.org, jm...@jms1.net
On Wed, Mar 8, 2017 at 11:01 AM, Oliver Graute <oliver...@gmail.com> wrote:
> Hello List,
>
> I'am using the ForceCommand in my sshd configuration to log all the user
> actions on my device.
>
> ForceCommand /usr/bin/log-session.sh
>
> The Log Session Script itself is working fine for logging.
>
> But now I want also use SCP to copy files and this won't work together
> with the ForceCommand above.
>
> The copied file is created but its zero byte on the target.
>
> scp file.tar.gz ssh-...@192.168.1.229:/home/ssh-user/
> Enter passphrase for key '/home/user/.ssh/id_ecdsa':
> C0664 28508 file.tar.gz
>
> -rw-r--r-- 1 ssh-user ssh-user 0 Mar 8 10:52 file.tar.gz
>
> Some ideas whats the reason for this behavior?
>
I solved the scp copy problem by adding this scp case to the
> Hello List,
>
> I'am using the ForceCommand in my sshd configuration to log all the user
> actions on my device.
>
> ForceCommand /usr/bin/log-session.sh
>
> The Log Session Script itself is working fine for logging.
>
> But now I want also use SCP to copy files and this won't work together
> with the ForceCommand above.
>
> The copied file is created but its zero byte on the target.
>
> scp file.tar.gz ssh-...@192.168.1.229:/home/ssh-user/
> Enter passphrase for key '/home/user/.ssh/id_ecdsa':
> C0664 28508 file.tar.gz
>
> -rw-r--r-- 1 ssh-user ssh-user 0 Mar 8 10:52 file.tar.gz
>
> Some ideas whats the reason for this behavior?
>
log-session.sh script
# if scp is requested we just forward this command
elif [ "$(echo ${SSH_ORIGINAL_COMMAND} | grep '^scp')" ]
then
echo starting SCP service >> $LOGFILE
echo ======================================== >> $LOGFILE
${SSH_ORIGINAL_COMMAND}
No the copy of files in both directions is fine. But I observe a
strange protocol error
Enter passphrase for key '/home/graute/.ssh/id_ecdsa':
test.log
100% 39 0.0KB/s 00:00
protocol error: expected control record
Best regards,
Oliver
Darren Tucker
Mar 15, 2017, 7:30:09 AM3/15/17
to Oliver Graute, jm...@jms1.net, OpenSSH Devel List
On Wed, Mar 15, 2017 at 9:39 PM, Oliver Graute <oliver...@gmail.com> wrote:
[...]
tries and fails to interpret.
Try exec'ing scp rather than just calling it to make sure your script
doesn't do anything else.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
[...]
> protocol error: expected control record
Most likely your script is producing some output at the end which scp
tries and fails to interpret.
Try exec'ing scp rather than just calling it to make sure your script
doesn't do anything else.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Oliver Graute
Mar 15, 2017, 8:10:19 AM3/15/17
to Darren Tucker, jm...@jms1.net, OpenSSH Devel List
On Wed, Mar 15, 2017 at 12:24 PM, Darren Tucker <dtu...@zip.com.au> wrote:
> On Wed, Mar 15, 2017 at 9:39 PM, Oliver Graute <oliver...@gmail.com> wrote:
> [...]
>> protocol error: expected control record
>
> Most likely your script is producing some output at the end which scp
> tries and fails to interpret.
>
> Try exec'ing scp rather than just calling it to make sure your script
> doesn't do anything else.
you are right
> On Wed, Mar 15, 2017 at 9:39 PM, Oliver Graute <oliver...@gmail.com> wrote:
> [...]
>> protocol error: expected control record
>
> Most likely your script is producing some output at the end which scp
> tries and fails to interpret.
>
> Try exec'ing scp rather than just calling it to make sure your script
> doesn't do anything else.
- ${SSH_ORIGINAL_COMMAND}
+ exec ${SSH_ORIGINAL_COMMAND}
solved the issue. Thx
Oliver
Reply all
Reply to author
Forward
0 new messages