syslog-ng, chroot environments & Solaris

[ocoro02]

I'm trying to get chrooted sftp working (using latest openssh 5.1p1) on a Solaris 10 x86 box and am having trouble getting logging working. I realise this may be an ssh issue - and there have been a few mentions of similar problems - but the more I look at it the more I wonder whether it's a problem with syslog-ng.

Basically ssh, using the internal-sftp option & ChrootDirectory logs the initial connection, but once the user is in the chroot environment, there's no further logging (and I want to log sftp transfers etc.).

From a syslog-ng point of view, I'm running v2.0.9 (the package from sunfreeware) and my source looks like this:

source syslog {
        internal();
        sun-streams("/dev/log" door("/var/run/syslog_door"));
        sun-streams("/export/home/mychrootuser/dev/log" door("/export/home/mychrootuser/var/run/
syslog_door"));
        udp(ip(0.0.0.0) port(514));
};

where 'mychrootuser' is the user I wish to be locked in the chroot jail.
I created /export/home/mychrootuser/dev/log by building another instance of the /dev/log character file:

# ls -lL /dev/log
crw-r-----   1 root     sys       21,  5 Jun  9 14:46 /dev/log
# mknod /export/home/mychrootuser/dev/log c 21 5
# ls -l /export/home/mychrootuser/dev/log
crw-r-----   1 root     sys       21,  5 Aug 18 13:15 /export/home/mychrootuser/dev/log

Restart syslog-ng and the door file is created automatically:
# ls -l /export/home/mychrootuser/var/run/syslog_door
Drw-r--r--   1 root     root           0 Aug 18 13:04 /export/home/mychrootuser/var/run/syslog_door

I also alter the perms above to make sure mychrootuser can write to both the log & door files (this might not be necessary - I've tried allowing or keeping perms as listed above).

When I sftp - no luck. Logging works fine when ssh is set to non-chroot.  I've also tried using unix-stream rather than sun-streams.
As I say, it's very likely an ssh problem - but just checking in case if there's a magic fix on Solaris.

[fgarillot]

I may be running into a similar problem. Are you using ForceCommand in combination with ChrootDirectory in your sshd_config ?

Apparently, some people have noticed that it doesn't work well with logging in syslogd, and I reached the same conclusions with syslog-ng:

http://lists.mindrot.org/pipermail/openssh-unix-dev/2008-June/026526.html
http://lists.mindrot.org/pipermail/openssh-unix-dev/2008-June/026557.html

--
FG

[ocoro02]

I've cracked this - the problem mainly lay with openssh which I'll describe in:

http://groups.google.com/group/comp.security.ssh/browse_thread/thread/ce30a1d9889dc2e2#

From a syslog-ng point of view the config was even simpler than I expected. I didn't need to define a new source within the chroot jail. All I have is (what I had before):

source syslog {
        internal();
        sun-streams("/dev/log" door("/var/run/syslog_door"));
        udp(ip(0.0.0.0) port(514));
};


The magic trick is that on Solaris 10, you need /dev/conslog in the chroot jail - and that is all.
So create the device by getting the major/minior numbers for conslog:

% ls -lL /dev/conslog
crw-rw-rw-   1 root     sys       21,  0 Jun  5 14:36 /dev/conslog

And create the device file:

% mkdir /path/to/chrootjail/dev
% mknod /path/to/chrootjail/dev/conslog c 21 0

Need to alter perms on this as well. The SSH perms are quite odd - top level of the chroot jail must be owned by root and must be modes 750 or less.

[mutex]

That's a pretty obscure problem.  I am glad you got it resolved.