Troubleshooting
Problem
This document provides instructions for configuring and starting the syslog daemon on the operating system to log information about use of the OpenSSH sshd daeomon.
Resolving The Problem
The SSH daemon can use the UNIX syslog facilities for logging.
In this example, Qshell was used to start the syslog daemon. To verify that Qshell is installed on your system, run the DSPSFWRSC command. Qshell is Option 30 of the base operating system 5770SS1. The PASE terminal is also required, so confirm that Option 33 of the base operating system 5770SS1 is also installed. Finally, check that 5733SC1 is installed.
In this example, Qshell was used to start the syslog daemon. To verify that Qshell is installed on your system, run the DSPSFWRSC command. Qshell is Option 30 of the base operating system 5770SS1. The PASE terminal is also required, so confirm that Option 33 of the base operating system 5770SS1 is also installed. Finally, check that 5733SC1 is installed.
Do the following:
| O |
From the IBM i run:
STRQSH We need to create both a syslog log file, and the syslog config file. In this example, we are going to create a log file called syslog.log in the
/var/log directory. This file can be named whatever you like and be stored wherever you like, but whatever you choose, you need to reference it in the entry created in the syslog config file. You need to ensure that any directories in the path already exist. Substitute your choice wherever you see /var/log/syslog.log in these examples.1) We need to create both a syslog log file, and the syslog config file:
You can choose the log file name and location. This log file will need to be referenced in the syslog configuration file during the next configuration steps.
Now exit out of QSH by using the Fn key or the exit command.
|
| O |
We now need to add the following line into the syslog.conf file.
From IBM i run:
EDTF '/QOpenSys/etc/syslog.conf'
Add the following line into the file: auth.info /var/log/syslog.log (or substitute the directory path and file name of your choice from the previous step)
Save and exit from the EDTF editor.
|
| O |
End the SSHD server by using command:
ENDTCPSVR *SSHD
Edit the sshd_config file to turn on logging:
EDTF '/QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/sshd_config'
Under a section that starts with '# Logging', you should see a line
'#LogLevel INFO'Remove the '#' symbol from the start of the line (which uncomments the line) and turns on
INFO level logging for SSHDSave and exit
*NOTE: If you are running OS/400 R710, the path for sshd_config is '/QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-4.7p1/etc/sshd_config'
|
| O | Start the syslog daemon: QSH CMD('/usr/sbin/syslogd') Note: The syslog daemon listens on UDP port 514. You can check it starts by running NETSTAT *CNN |
| O | Start the ssh daemon: STRTCPSVR *SSHD |
The /var/log/syslog.log (or your equivalent) file will contain entries similar to the following:
If syslogd is not configured and running, these syslog messages get redirected to the job log of the unique SSHD process that is forked off when a user tries to connect. Therefore, you would have to look through a bunch of job logs to get all of the logged messages. The LogLevel keyword in the SSH daemon configuration file ('/QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/sshd_config) determines the verbosity level that is used when logging messages from SSHD. The default log level is
Dec 22 16:38:51 SSHSERVER auth|security:info sshd[35618]: Server listening on 0.0.0.0 port 22.
Dec 22 16:39:10 SSHSERVER auth|security:info sshd[35619]: Failed password for someuser from 1.1.1.1 port 1372 ssh2
Dec 22 16:39:40 SSHSERVER auth|security:info sshd[35619]: Accepted password for someuser from 1.1.1.1 port 1372 ssh2
Dec 22 18:09:49 SSHSERVER auth|security:info sshd[36108]: Accepted publickey for someuser from 1.1.1.2 port 51590 ssh2If syslogd is not configured and running, these syslog messages get redirected to the job log of the unique SSHD process that is forked off when a user tries to connect. Therefore, you would have to look through a bunch of job logs to get all of the logged messages. The LogLevel keyword in the SSH daemon configuration file ('/QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/sshd_config) determines the verbosity level that is used when logging messages from SSHD. The default log level is
'INFO', and it will be sufficient for most cases. There is some ongoing debate in the OpenSSH development community about providing logging of specific files being transferred using SFTP or 'SCP'; however, the OpenSSH maintainers have resisted doing so by stating that some user could merely sign in after a transfer using SSH and rename a file from there. Their thought is that, rather than logging, you must ensure correct authorities of users connecting using SSH (to ensure they can only read/write appropriate directories and files).
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]
Historical Number
454064141
Was this topic helpful?
Document Information
Modified date:
27 March 2024
UID
nas8N1014301