Win32-OpenSSH
Win32-OpenSSH copied to clipboard
PowerShell
Cannot log the SFTP file transfer operations of a CHROOTED non-admin user account on Windows Server
Troubleshooting steps https://github.com/PowerShell/Win32-OpenSSH/wiki/Troubleshooting-Steps
Terminal issue? please go through wiki https://github.com/PowerShell/Win32-OpenSSH/wiki/TTY-PTY-support-in-Windows-OpenSSH
- No
Please answer the following
"OpenSSH for Windows" version sshd.exe File version: 8.1.0.0
Server OperatingSystem
- Windows Server 2019 Standard
Client OperatingSystem
- Windows Server 2019 Standard
What is failing
- The file transfer logging for a chrooted (to a separate drive) and non-administrative user account does not get generated.
Important note: I already gave the connecting user's account write rights to
C:\OpenSSH\logsandC:\ProgramData\ssh\logsfolders.
Expected output
- File transfer logfile.
Actual output
- Nothing. The file does not get generated.
Attached sshd_config file. sshd_config.txt
You need to append to this line for logging ForceCommand internal-sftp
try this instead: ForceCommand internal-sftp -l INFO -f AUTH
I've tried that. The problem is that the logs are written using the account that connects to the SFTP server. In the CHROOT case, this account does not see anything outside the path I provided to it. There are some resources that explain this issue, and provide workarounds for the Linux based installations, but really nothing for Windows...
This makes more sense to me now. I was testing on non-Chrooted users when I figured out where to indicate the logging. Just started testing on Chrooted environment, and no joy. I would expect to be able to use Windows logging system for this. I'm going to say that there is no way to accomplish logging Chrooted SFTP on Windows using OpenSSH at this time. But it would be great to hear from someone at Microsoft to clear the air.
I also had this same problem and it seems that if you add the Chroot user to the administrators group it captures the transfer of files events in the log which is just unviable for users that we are trying to restrict access. Microsoft can you help please?
Please try https://github.com/PowerShell/Win32-OpenSSH/releases/tag/V8.6.0.0p1-Beta
Unfortunately its still the same issue, previously i had installed OpenSSH from the windows feature in Server 2019, this time it was using the 64bit (8.6.0.0p1-Beta)extracting into C:Program Files with the sshd_config modified in C:\Program Data
Hello,
I have been strugling with this and found a solution. If you put you chrooted SFTP accounts to Local Administrators group, file Access (uploads and deletes and so on) logging works. For security reasons, this is not a real solution. But you can give SFTP accounts a possibility to write Application Eventlog.
In the SFTP server, run the following command in Powershell to get current Application Eventlog security descriptors: wevtutil get-log "openSSH/Operational"
Then get information from ChannelAccess row and extend it with added group security descriptors. You can find AD group SID from you AD with the following Powershell command: Get-ADGroup your-ad-group-name
Then add the following in the end of ChannelAccess string, which you got earlier with wevtutil command. (A;;0x3;;;S-1-5-21-YOUR-GROUPS-SID-FROM-PREVIOUS-COMMAND)
There 0x3 means write permission.
Last thing, create a new Group Policy and paste newly edited ChannelAccess string in the "Configure log access" options. Computer Configuration/Administrative Templates/Windows Components/Event Log Service/Application (paste string there, starting from "O:BAG..."and so on.)
After setting this up, all file access made by chrooted users will be logged in Event Viewer OpenSSH/Operational log.
Hope this helps someone strugling with the same problem.
-Antti
