4

My server is Centos 5. I have a chroot environment set up with the following in my sshd_config

Match group sftponly
    ForceCommand internal-sftp
    ChrootDirectory %h
    AllowTcpForwarding no
    PasswordAuthentication yes
Match

When a user connects by sftp, a line is added to /var/log/secure:

Sep  3 15:30:20 servername sshd[26548]: pam_unix(sshd:session): session opened for user test by (uid=0)

However they are not present when executing w:

[root@servername home]# w
 15:30:47 up 156 days,  1:00,  3 users,  load average: 0.05, 0.18, 0.32
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
mike     pts/1    12.34.56.78      Fri16    0.00s  0.10s  0.03s sshd: mike [priv]

But when users connect by SSH (like the user above), they are present. Is this standard behavior?

Mike
  • 459

1 Answers1

4

man utmp:

The utmp file allows one to discover information about who is currently using the system. There may be more users currently using the system, because not all programs use utmp logging.

So, it must be that sshd is not adding an utmp entry when handling scp connections. Looks quite normal because scp instances are not interactive sessions.

Maybe something can be done using ForceCommand or Subsystem in sshd_config: It might be possible to wrap the execution of the sftp handler inside a login shell.

(Actually I wouldn't recommend that, better keep it simple and use standard logging facilities.)

Stéphane Gimenez
  • 28,907
  • The connections not being logged are sftp, not scp, so they are interactive. – Mike Sep 03 '11 at 22:59
  • 1
    Ok, it turns out you were right. Even though sftp seems to be interactive, it is considered to be non-interactive by the system and therefore doesn't add it to utmp for some reason, so the answer to my original question is, "Yes, this is standard behavior." – Mike Sep 03 '11 at 23:47
  • Yes, maybe they preferred to consider sftp as non interactive because its main use is scp. Using it repetitively might clutter the wtmp database. – Stéphane Gimenez Sep 03 '11 at 23:58
  • Actually scp and sftp are different protocols. From Wikipedia, "Compared to the earlier SCP protocol, which allows only file transfers, the SFTP protocol allows for a range of operations on remote files – it is more like a remote file system protocol" – Mike Sep 04 '11 at 00:10