openssh3.5p1: new functionality added, modifications done

Guys -

This is NOT an official or unofficial openssh announcement, patch, release etc.

I'm a contractor sysadmin for USDA in D.C. I run a web development server that offers
secure ftp services for our web content developers. I use sftp-server with openssh. The version I currently use is 3.5p1.

I noticed a lack of functionality in a couple of areas. First, there was no logging.
Even with debug logging turned on, sftp-server transactions were not being logged.
This is because there is no logging provision in the code. For me, this was a
problem because our web developers have group read/write access to our web content.
With no user-based transaction logging, it is difficult if not impossible to maintain
an audit trail of the users' actions.

Secondly, there is no server-side control over umask and file permissions. When a user
uploads a new file, the default permissions are either set by the client or, in the case
where the client does not set it, are hard coded in the sftp-server subsystem.

in my case, this was inadequate. Because of the group read/write policy, I want all
uploaded files and directories to have a specific set of permissions (which wasn't
happening because I had no control over it); and I do not want my users changing
ownership or permissions (they could strip the group read/write bit off and prevent
others from doing their work). Thus, I wanted control over the umask and I wanted to be able
to disallow the client from changing ownership or file permissions.

I modified the openssh-3.5p1 code to add the functionality I needed. Specifically, I
added six new directives to sshd_config:

SftpLog (whether to log or not to log ftp transactions) SftpLogFacility (similar to SyslogFacility) SftpLogLevel (similar to SyslogLevel)
SftpUmask (a valid umask, overrides all other sources of umask; if none given, then no umask override)
SftpPermitChmod (whether to allow or disallow client "chmod" commands) SftpPermitChown (whether to allow or disallow client "chown" or "chgrp' commands)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A sample of the system log appears as follows:

Feb 1 19:48:21 sftp-server[19327]: Starting sftp-server logging for user michael.

Feb  1 19:48:21 sftp-server[19327]: umask control is on.
Feb  1 19:48:21 sftp-server[19327]: client is not permitted to chmod.
Feb  1 19:48:21 sftp-server[19327]: client is not permitted to chown.
Feb  1 19:48:21 sftp-server[19327]: realpath .
Feb  1 19:48:27 sftp-server[19327]: opendir /home/michael
Feb  1 19:48:31 sftp-server[19327]: realpath /home/michael/suwrap
Feb  1 19:48:34 sftp-server[19327]: sftp-server finished.

I'm running openssh with my patch on my servers, and am quite happy with it. I don't have
run a cron job anymore to check (and adjust if necessary) the file permissions on my
web content, and I have a detailed audit trail of user transactions.

If anyone is interested in using my patch, feel free to contact me. The following disclaimer
applies:

---

Disclaimer: My openssh patch is not endorsed by the openssh developers, by my employer, or
by United States Department of Agriculture. There is no guarantee or warranty of any kind.
I have done my best to ensure bug-free and secure code, but neither myself, my employer,
nor the United States Government is responsible for any problems that arise from your
use of this patch.
---

As I mentioned above, I did my patch in such a way that there are new directives for
sshd_config. Markus Friedl (openssh developer) told me he would prefer a separate
config file (something like sftp_config).

Sounds reasonable to me. Anybody else got any thoughts on this? When I get some time,
I'll put together a new patch that puts all the sftp-specific directives into the new
config file.

If someone else has the time and wants to do it, feel free. Please coordinate your efforts
with the openssh developers, and with Mr. Friedl in particular, so they can put it into
future releases.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Until then, feel free to contact me, offer suggestions, etc.

Mike Martinez
mmartinez@reeusda.gov Received on Mon Feb 3 12:12:37 2003