f32b842
diff -up openssh-8.6p1/log.c.log-in-chroot openssh-8.6p1/log.c
f32b842
--- openssh-8.6p1/log.c.log-in-chroot	2021-04-16 05:55:25.000000000 +0200
f32b842
+++ openssh-8.6p1/log.c	2021-04-19 14:43:08.544843434 +0200
f32b842
@@ -194,6 +194,11 @@ void
25c16c6
 log_init(const char *av0, LogLevel level, SyslogFacility facility,
25c16c6
     int on_stderr)
7a7b8f0
 {
7a7b8f0
+	log_init_handler(av0, level, facility, on_stderr, 1);
7a7b8f0
+}
7a7b8f0
+
7a7b8f0
+void
25c16c6
+log_init_handler(const char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) {
7a7b8f0
 #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
7a7b8f0
 	struct syslog_data sdata = SYSLOG_DATA_INIT;
7a7b8f0
 #endif
f32b842
@@ -206,8 +211,10 @@ log_init(const char *av0, LogLevel level
7a7b8f0
 		exit(1);
7a7b8f0
 	}
7a7b8f0
 
7a7b8f0
-	log_handler = NULL;
7a7b8f0
-	log_handler_ctx = NULL;
7a7b8f0
+	if (reset_handler) {
7a7b8f0
+		log_handler = NULL;
7a7b8f0
+		log_handler_ctx = NULL;
7a7b8f0
+	}
7a7b8f0
 
7a7b8f0
 	log_on_stderr = on_stderr;
7a7b8f0
 	if (on_stderr)
f32b842
diff -up openssh-8.6p1/log.h.log-in-chroot openssh-8.6p1/log.h
f32b842
--- openssh-8.6p1/log.h.log-in-chroot	2021-04-19 14:43:08.544843434 +0200
f32b842
+++ openssh-8.6p1/log.h	2021-04-19 14:56:46.931042176 +0200
f32b842
@@ -52,6 +52,7 @@ typedef enum {
f32b842
 typedef void (log_handler_fn)(LogLevel, int, const char *, void *);
7a7b8f0
 
25c16c6
 void     log_init(const char *, LogLevel, SyslogFacility, int);
25c16c6
+void     log_init_handler(const char *, LogLevel, SyslogFacility, int, int);
bbf61da
 LogLevel log_level_get(void);
5b55d09
 int      log_change_level(LogLevel);
7a7b8f0
 int      log_is_on_stderr(void);
f32b842
diff -up openssh-8.6p1/monitor.c.log-in-chroot openssh-8.6p1/monitor.c
f32b842
--- openssh-8.6p1/monitor.c.log-in-chroot	2021-04-19 14:43:08.526843298 +0200
f32b842
+++ openssh-8.6p1/monitor.c	2021-04-19 14:55:25.286424043 +0200
f32b842
@@ -297,6 +297,8 @@ monitor_child_preauth(struct ssh *ssh, s
3cd4899
 		close(pmonitor->m_log_sendfd);
7a7b8f0
 	pmonitor->m_log_sendfd = pmonitor->m_recvfd = -1;
7a7b8f0
 
7a7b8f0
+	pmonitor->m_state = "preauth";
7a7b8f0
+
def1deb
 	authctxt = (Authctxt *)ssh->authctxt;
7a7b8f0
 	memset(authctxt, 0, sizeof(*authctxt));
3cd4899
 	ssh->authctxt = authctxt;
f32b842
@@ -408,6 +410,8 @@ monitor_child_postauth(struct ssh *ssh,
7a7b8f0
 	close(pmonitor->m_recvfd);
7a7b8f0
 	pmonitor->m_recvfd = -1;
7a7b8f0
 
7a7b8f0
+	pmonitor->m_state = "postauth";
7a7b8f0
+
7a7b8f0
 	monitor_set_child_handler(pmonitor->m_pid);
51f5c1c
 	ssh_signal(SIGHUP, &monitor_child_handler);
51f5c1c
 	ssh_signal(SIGTERM, &monitor_child_handler);
f32b842
@@ -480,7 +484,7 @@ monitor_read_log(struct monitor *pmonito
25c16c6
 	/* Log it */
7a7b8f0
 	if (log_level_name(level) == NULL)
25c16c6
 		fatal_f("invalid log level %u (corrupted message?)", level);
f32b842
-	sshlogdirect(level, forced, "%s [preauth]", msg);
f32b842
+	sshlogdirect(level, forced, "%s [%s]", msg, pmonitor->m_state);
7a7b8f0
 
bbf61da
 	sshbuf_free(logmsg);
f32b842
 	free(msg);
f32b842
@@ -1868,13 +1872,28 @@ monitor_init(void)
6cf9b8e
 	mon = xcalloc(1, sizeof(*mon));
6cf9b8e
 	monitor_openfds(mon, 1);
7a7b8f0
 
7a7b8f0
+	mon->m_state = "";
7a7b8f0
+
7a7b8f0
 	return mon;
7a7b8f0
 }
7a7b8f0
 
7a7b8f0
 void
7a7b8f0
-monitor_reinit(struct monitor *mon)
7a7b8f0
+monitor_reinit(struct monitor *mon, const char *chroot_dir)
7a7b8f0
 {
7a7b8f0
-	monitor_openfds(mon, 0);
7a7b8f0
+	struct stat dev_log_stat;
7a7b8f0
+	char *dev_log_path;
7a7b8f0
+	int do_logfds = 0;
7a7b8f0
+
7a7b8f0
+	if (chroot_dir != NULL) {
7a7b8f0
+		xasprintf(&dev_log_path, "%s/dev/log", chroot_dir);
7a7b8f0
+
7a7b8f0
+		if (stat(dev_log_path, &dev_log_stat) != 0) {
25c16c6
+			debug_f("/dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", chroot_dir);
7a7b8f0
+			do_logfds = 1;
7a7b8f0
+		}
7a7b8f0
+		free(dev_log_path);
7a7b8f0
+	}
7a7b8f0
+	monitor_openfds(mon, do_logfds);
7a7b8f0
 }
7a7b8f0
 
7a7b8f0
 #ifdef GSSAPI
f32b842
diff -up openssh-8.6p1/monitor.h.log-in-chroot openssh-8.6p1/monitor.h
f32b842
--- openssh-8.6p1/monitor.h.log-in-chroot	2021-04-19 14:43:08.527843305 +0200
f32b842
+++ openssh-8.6p1/monitor.h	2021-04-19 14:43:08.545843441 +0200
f32b842
@@ -80,10 +80,11 @@ struct monitor {
6cf9b8e
 	int			 m_log_sendfd;
132f8f8
 	struct kex		**m_pkex;
7a7b8f0
 	pid_t			 m_pid;
7a7b8f0
+	char		*m_state;
7a7b8f0
 };
7a7b8f0
 
7a7b8f0
 struct monitor *monitor_init(void);
7a7b8f0
-void monitor_reinit(struct monitor *);
7a7b8f0
+void monitor_reinit(struct monitor *, const char *);
7a7b8f0
 
7a7b8f0
 struct Authctxt;
def1deb
 void monitor_child_preauth(struct ssh *, struct monitor *);
f32b842
diff -up openssh-8.6p1/session.c.log-in-chroot openssh-8.6p1/session.c
f32b842
--- openssh-8.6p1/session.c.log-in-chroot	2021-04-19 14:43:08.534843358 +0200
f32b842
+++ openssh-8.6p1/session.c	2021-04-19 14:43:08.545843441 +0200
6cf9b8e
@@ -160,6 +160,7 @@ login_cap_t *lc;
7a7b8f0
 
7a7b8f0
 static int is_child = 0;
13073f8
 static int in_chroot = 0;
7a7b8f0
+static int have_dev_log = 1;
13073f8
 
5b55d09
 /* File containing userauth info, if ExposeAuthInfo set */
5b55d09
 static char *auth_info_file = NULL;
f32b842
@@ -661,6 +662,7 @@ do_exec(struct ssh *ssh, Session *s, con
7a7b8f0
 	int ret;
13073f8
 	const char *forced = NULL, *tty = NULL;
13073f8
 	char session_type[1024];
7a7b8f0
+	struct stat dev_log_stat;
7a7b8f0
 
7a7b8f0
 	if (options.adm_forced_command) {
7a7b8f0
 		original_command = command;
f32b842
@@ -720,6 +722,10 @@ do_exec(struct ssh *ssh, Session *s, con
7a7b8f0
 			tty += 5;
7a7b8f0
 	}
7a7b8f0
 
7a7b8f0
+	if (lstat("/dev/log", &dev_log_stat) != 0) {
7a7b8f0
+		have_dev_log = 0;
7a7b8f0
+	}
7a7b8f0
+
13073f8
 	verbose("Starting session: %s%s%s for %s from %.200s port %d id %d",
7a7b8f0
 	    session_type,
7a7b8f0
 	    tty == NULL ? "" : " on ",
f32b842
@@ -1524,14 +1530,6 @@ child_close_fds(struct ssh *ssh)
bd35168
 
bd35168
 	/* Stop directing logs to a high-numbered fd before we close it */
bd35168
 	log_redirect_stderr_to(NULL);
7a7b8f0
-
7a7b8f0
-	/*
7a7b8f0
-	 * Close any extra open file descriptors so that we don't have them
7a7b8f0
-	 * hanging around in clients.  Note that we want to do this after
7a7b8f0
-	 * initgroups, because at least on Solaris 2.3 it leaves file
7a7b8f0
-	 * descriptors open.
7a7b8f0
-	 */
7a7b8f0
-	closefrom(STDERR_FILENO + 1);
7a7b8f0
 }
7a7b8f0
 
7a7b8f0
 /*
f32b842
@@ -1665,8 +1663,6 @@ do_child(struct ssh *ssh, Session *s, co
7a7b8f0
 			exit(1);
7a7b8f0
 	}
7a7b8f0
 
7a7b8f0
-	closefrom(STDERR_FILENO + 1);
7a7b8f0
-
3cd4899
 	do_rc_files(ssh, s, shell);
7a7b8f0
 
6cf9b8e
 	/* restore SIGPIPE for child */
f32b842
@@ -1691,9 +1687,17 @@ do_child(struct ssh *ssh, Session *s, co
7a7b8f0
 		argv[i] = NULL;
7a7b8f0
 		optind = optreset = 1;
7a7b8f0
 		__progname = argv[0];
7a7b8f0
-		exit(sftp_server_main(i, argv, s->pw));
7a7b8f0
+		exit(sftp_server_main(i, argv, s->pw, have_dev_log));
7a7b8f0
 	}
7a7b8f0
 
7a7b8f0
+	/*
7a7b8f0
+	 * Close any extra open file descriptors so that we don't have them
7a7b8f0
+	 * hanging around in clients.  Note that we want to do this after
7a7b8f0
+	 * initgroups, because at least on Solaris 2.3 it leaves file
7a7b8f0
+	 * descriptors open.
7a7b8f0
+	 */
7a7b8f0
+	closefrom(STDERR_FILENO + 1);
7a7b8f0
+
7a7b8f0
 	fflush(NULL);
7a7b8f0
 
6cf9b8e
 	/* Get the last component of the shell name. */
f32b842
diff -up openssh-8.6p1/sftp.h.log-in-chroot openssh-8.6p1/sftp.h
f32b842
--- openssh-8.6p1/sftp.h.log-in-chroot	2021-04-16 05:55:25.000000000 +0200
f32b842
+++ openssh-8.6p1/sftp.h	2021-04-19 14:43:08.545843441 +0200
6cf9b8e
@@ -97,5 +97,5 @@
7a7b8f0
 
6cf9b8e
 struct passwd;
6cf9b8e
 
6cf9b8e
-int	sftp_server_main(int, char **, struct passwd *);
6cf9b8e
+int	sftp_server_main(int, char **, struct passwd *, int);
6cf9b8e
 void	sftp_server_cleanup_exit(int) __attribute__((noreturn));
f32b842
diff -up openssh-8.6p1/sftp-server.c.log-in-chroot openssh-8.6p1/sftp-server.c
f32b842
--- openssh-8.6p1/sftp-server.c.log-in-chroot	2021-04-16 05:55:25.000000000 +0200
f32b842
+++ openssh-8.6p1/sftp-server.c	2021-04-19 14:43:08.545843441 +0200
f32b842
@@ -1644,7 +1644,7 @@ sftp_server_usage(void)
7a7b8f0
 }
7a7b8f0
 
7a7b8f0
 int
7a7b8f0
-sftp_server_main(int argc, char **argv, struct passwd *user_pw)
7a7b8f0
+sftp_server_main(int argc, char **argv, struct passwd *user_pw, int reset_handler)
7a7b8f0
 {
7a7b8f0
 	fd_set *rset, *wset;
132f8f8
 	int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0;
f32b842
@@ -1657,7 +1657,7 @@ sftp_server_main(int argc, char **argv,
36fef56
 	extern char *__progname;
7a7b8f0
 
7a7b8f0
 	__progname = ssh_get_progname(argv[0]);
7a7b8f0
-	log_init(__progname, log_level, log_facility, log_stderr);
7a7b8f0
+	log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
7a7b8f0
 
7a7b8f0
 	pw = pwcopy(user_pw);
7a7b8f0
 
f32b842
@@ -1730,7 +1730,7 @@ sftp_server_main(int argc, char **argv,
7a7b8f0
 		}
7a7b8f0
 	}
7a7b8f0
 
7a7b8f0
-	log_init(__progname, log_level, log_facility, log_stderr);
7a7b8f0
+	log_init_handler(__progname, log_level, log_facility, log_stderr, reset_handler);
7a7b8f0
 
1900351
 	/*
5878ebb
 	 * On platforms where we can, avoid making /proc/self/{mem,maps}
f32b842
diff -up openssh-8.6p1/sftp-server-main.c.log-in-chroot openssh-8.6p1/sftp-server-main.c
f32b842
--- openssh-8.6p1/sftp-server-main.c.log-in-chroot	2021-04-16 05:55:25.000000000 +0200
f32b842
+++ openssh-8.6p1/sftp-server-main.c	2021-04-19 14:43:08.545843441 +0200
f32b842
@@ -50,5 +50,5 @@ main(int argc, char **argv)
6cf9b8e
 		return 1;
6cf9b8e
 	}
7a7b8f0
 
6cf9b8e
-	return (sftp_server_main(argc, argv, user_pw));
6cf9b8e
+	return (sftp_server_main(argc, argv, user_pw, 0));
6cf9b8e
 }
f32b842
diff -up openssh-8.6p1/sshd.c.log-in-chroot openssh-8.6p1/sshd.c
f32b842
--- openssh-8.6p1/sshd.c.log-in-chroot	2021-04-19 14:43:08.543843426 +0200
f32b842
+++ openssh-8.6p1/sshd.c	2021-04-19 14:43:08.545843441 +0200
f32b842
@@ -559,7 +559,7 @@ privsep_postauth(struct ssh *ssh, Authct
7a7b8f0
 	}
7a7b8f0
 
7a7b8f0
 	/* New socket pair */
7a7b8f0
-	monitor_reinit(pmonitor);
7a7b8f0
+	monitor_reinit(pmonitor, options.chroot_directory);
7a7b8f0
 
7a7b8f0
 	pmonitor->m_pid = fork();
7a7b8f0
 	if (pmonitor->m_pid == -1)
f32b842
@@ -578,6 +578,11 @@ privsep_postauth(struct ssh *ssh, Authct
7a7b8f0
 
7a7b8f0
 	close(pmonitor->m_sendfd);
7a7b8f0
 	pmonitor->m_sendfd = -1;
7a7b8f0
+	close(pmonitor->m_log_recvfd);
7a7b8f0
+	pmonitor->m_log_recvfd = -1;
7a7b8f0
+
7a7b8f0
+	if (pmonitor->m_log_sendfd != -1)
7a7b8f0
+		set_log_handler(mm_log_handler, pmonitor);
7a7b8f0
 
7a7b8f0
 	/* Demote the private keys to public keys. */
7a7b8f0
 	demote_sensitive_data();