logging sftp transfers
I have a directory with files I want my son to have access to. I have set him up an sftp account, and made him a member of agroup with limited privileges. But I would like a list of what he has downloaded -- he lives in a shared house, and I don't regard my computer as a shared resource. He might perfectly well leave a program running ... Is there any way to log the files that are transferred by the sftp server? I have googled at length, and in vain. -- Andrew Brown What I do: www.darwinwars.com What I'm up to: www.thewormbook.com/helmintholog/
The Monday 2005-01-10 at 20:32 -0000, Andrew Brown wrote:
I have a directory with files I want my son to have access to. I have set him up an sftp account, and made him a member of agroup with limited privileges. But I would like a list of what he has downloaded -- he lives in a shared house, and I don't regard my computer as a shared resource. He might perfectly well leave a program running ...
He can not leave a program running on your computer unless you give him a shell account on your computer, or unless he is a good hacker or cracker.
Is there any way to log the files that are transferred by the sftp server? I have googled at length, and in vain.
sftp, dunno. Some ftp daemons do. -- Cheers, Carlos Robinson
On Tue, 11 Jan 2005 02:16:14 +0100 (CET), Carlos E. R.
shared resource. He might perfectly well leave a program running ...
He can not leave a program running on your computer unless you give him a shell account on your computer, or unless he is a good hacker or cracker.
Well, he has got a shell account, buit I only showed him how to use an ftp client. This is a young man from long after the age of CLIs :-) What I am afraid of is that his housemates start plundering my server.
sftp, dunno. Some ftp daemons do.
which ones? I don't want anythign that doesn't run through Port 22 -- Andrew Brown What I do: www.darwinwars.com What I'm up to: www.thewormbook.com/helmintholog/
On Tue, 11 Jan 2005 08:31:51 +0000, Andrew Brown
On Tue, 11 Jan 2005 02:16:14 +0100 (CET), Carlos E. R.
wrote: shared resource. He might perfectly well leave a program running ...
He can not leave a program running on your computer unless you give him a shell account on your computer, or unless he is a good hacker or cracker.
Well, he has got a shell account, buit I only showed him how to use an ftp client. This is a young man from long after the age of CLIs :-)
What I am afraid of is that his housemates start plundering my server.
sftp, dunno. Some ftp daemons do.
which ones? I don't want anythign that doesn't run through Port 22
-- Andrew Brown What I do: www.darwinwars.com What I'm up to: www.thewormbook.com/helmintholog/
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
You may take a look at vsftpd. It has ssh integration. http://vsftpd.beasts.org/ Also, you may use any ftp server. Just deny the access on port 21 from outside, and use ssh tunneling to get to it. Sunny -- Get Firefox http://www.spreadfirefox.com/?q=affiliates&id=10745&t=85
The Tuesday 2005-01-11 at 08:31 -0000, Andrew Brown wrote:
shared resource. He might perfectly well leave a program running ...
He can not leave a program running on your computer unless you give him a shell account on your computer, or unless he is a good hacker or cracker.
Well, he has got a shell account, buit I only showed him how to use an ftp client. This is a young man from long after the age of CLIs :-)
Then, he might one day. Define his shell to be rbash, and then he will not be able to change directory or execute something not in his path. Probably you will also have to include him in the lists not permiting him to launch cron jobs.
What I am afraid of is that his housemates start plundering my server.
That's life :-p
sftp, dunno. Some ftp daemons do.
which ones? I don't want anythign that doesn't run through Port 22
vsftpd, if you activate "xferlog_enable" logs transfers. It is a standar ftp server, so it uses the ftp port. sftp... ah, I confused it with the simple ftp protocol. sftp-server is configured in sshd_config. Try this: LogLevel Gives the verbosity level that is used when logging messages from sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. Logging with a DEBUG level violates the privacy of users and is not recommended. -- Cheers, Carlos Robinson
On Tue, 11 Jan 2005 20:54:55 +0100 (CET), Carlos E. R.
The Tuesday 2005-01-11 at 08:31 -0000, Andrew Brown wrote:
Well, he has got a shell account, buit I only showed him how to use an ftp client. This is a young man from long after the age of CLIs :-)
Then, he might one day.
Define his shell to be rbash, and then he will not be able to change directory or execute something not in his path.
Is there a zsh equivalent? I will certainly do something like this.
sftp... ah, I confused it with the simple ftp protocol. sftp-server is configured in sshd_config. Try this:
LogLevel Gives the verbosity level that is used when logging messages from sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. Logging with a DEBUG level violates the privacy of users and is not recommended.
Ah. thanks. I now realise that I have to throttle his conneciton, or else my cable modem downloads sto working properly. Is there any way to throttle outgoing ssh connections easily? -- Andrew Brown What I do: www.darwinwars.com What I'm up to: www.thewormbook.com/helmintholog/
Define his shell to be rbash, and then he will not be able to change directory or execute something not in his path.
Is there a zsh equivalent? I will certainly do something like this.
I found rzsh all by myself. So that's all right. But it looks as if this is no use;
LogLevel Gives the verbosity level that is used when logging messages from sshd. The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. Logging with a DEBUG level violates the privacy of users and is not recommended.
Someone posted a patch to openSSH to make sftp log transfers last summer. that' s just too scary to fiddle with. I'll settle for figuring out how to throttle the bandwidth,
Ah. thanks. I now realise that I have to throttle his conneciton, or else my cable modem downloads sto working properly. Is there any way to throttle outgoing ssh connections easily?
-- Andrew Brown What I do: www.darwinwars.com What I'm up to: www.thewormbook.com/helmintholog/
-- Andrew Brown What I do: www.darwinwars.com What I'm up to: www.thewormbook.com/helmintholog/
The Wednesday 2005-01-12 at 09:05 -0000, Andrew Brown wrote:
Define his shell to be rbash, and then he will not be able to change directory or execute something not in his path.
Is there a zsh equivalent? I will certainly do something like this.
I dunno. But looking up the info page, I see: Invocation * Compatibility:: * Restricted Shell:: Restricted Shell ================ When the basename of the command used to invoke zsh starts with the letter `r' or the `-r' command line option is supplied at invocation, the shell becomes restricted. Emulation mode is determined after stripping the letter `r' from the invocation name. The following are disabled in restricted mode: So the answer is yes ;-) I think you simply have to hardlink rzsh to zsh - as a matter of fact, bash uses the same trick: lrwxrwxrwx 1 root root 9 2004-08-15 14:04 /usr/bin/rbash -> /bin/bash* Well, with a softlink.
Ah. thanks. I now realise that I have to throttle his conneciton, or else my cable modem downloads sto working properly. Is there any way to throttle outgoing ssh connections easily?
I'm not familiar with traffic shaping, I don't know. Perhaps if he uses a fixed IP :-? - in that case, I would also restrict the firewall so that it is only possible to use ssh from that IP. -- Cheers, Carlos Robinson
participants (3)
-
Andrew Brown
-
Carlos E. R.
-
Sunny