sftp的服务在sshd_config中配置,具体目录为/etc/ssh/sshd_config
一般情况下使用的是sftp-server。由BSD系统管理器提供sftp-server的命令如下:
NAME
sftp-server -- SFTP server subsystem
SYNOPSIS
sftp-server [-ehR] [-d start_directory] [-f log_facility] [-l log_level]
[-P blacklisted_requests] [-p whitelisted_requests]
[-u umask]
sftp-server -Q protocol_feature
DESCRIPTION
sftp-server is a program that speaks the server side of SFTP protocol to
stdout and expects client requests from stdin. sftp-server is not
intended to be called directly, but from sshd(8) using the Subsystem
option.
Command-line flags to sftp-server should be specified in the Subsystem
declaration. See sshd_config(5) for more information.
Valid options are:
-d start_directory
specifies an alternate starting directory for users. The path-
name may contain the following tokens that are expanded at run-
time: %% is replaced by a literal '%', %d is replaced by the home
directory of the user being authenticated, and %u is replaced by
the username of that user. The default is to use the user's home
directory. This option is useful in conjunction with the
sshd_config(5) ChrootDirectory option.
-e Causes sftp-server to print logging information to stderr instead
of syslog for debugging.
-f log_facility
Specifies the facility code that is used when logging messages
from sftp-server. The possible values are: DAEMON, USER, AUTH,
LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
The default is AUTH.
-h Displays sftp-server usage information.
-l log_level
Specifies which messages will be logged by sftp-server. The pos-
sible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,
DEBUG1, DEBUG2, and DEBUG3. INFO and VERBOSE log transactions
that sftp-server performs on behalf of the client. DEBUG and
DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher
levels of debugging output. The default is ERROR.
-P blacklisted_requests
Specify a comma-separated list of SFTP protocol requests that are
banned by the server. sftp-server will reply to any blacklisted
request with a failure. The -Q flag can be used to determine the
supported request types. If both a blacklist and a whitelist are
specified, then the blacklist is applied before the whitelist.
-p whitelisted_requests
Specify a comma-separated list of SFTP protocol requests that are
permitted by the server. All request types that are not on the
whitelist will be logged and replied to with a failure message.
Care must be taken when using this feature to ensure that
requests made implicitly by SFTP clients are permitted.
-Q protocol_feature
Query protocol features supported by sftp-server. At present the
only feature that may be queried is ``requests'', which may be
used for black or whitelisting (flags -P and -p respectively).
-R Places this instance of sftp-server into a read-only mode.
Attempts to open files for writing, as well as other operations
that change the state of the filesystem, will be denied.
-u umask
Sets an explicit umask(2) to be applied to newly-created files
and directories, instead of the user's default mask.
On some systems, sftp-server must be able to access /dev/log for logging
to work, and use of sftp-server in a chroot configuration therefore
requires that syslogd(8) establish a logging socket inside the chroot
directory.
修改ssh的配置
vim /etc/ssh/sshd_config
#搜索Subsystem找到对应的行
# Subsystem sftp /usr/libexec/openssh/sftp-server
# 在其后面增加日志配置参数
Subsystem sftp /usr/libexec/openssh/sftp-server -l DEBUG3 -f local5
修改rsyslog的配置
由上诉的sftp-server的命令帮助中可知,在某些系统上,sftp-server必须能够访问/dev/log才能进行日志记录,因此在chroot配置中使用sftp-server需要syslogd(8)在chroot目录内建立日志记录套接字。
vim /etc/rsyslog.conf
# 在最后一行增加如下配置
auth,authpriv.*,local5.* /var/log/sftp.log
重启服务
systemctl restart sshd
systemctl restart rsyslog
查看日志
#日志最终会记录到/var/log/sftp.log中。可以使用tailf,less,more等命令进行查看
tailf /var/log/sftp.log