Log when a client requests an interactive session and only sftp is allowed

openssh-7.9p1-log-sftp-only-connections.patch

@@ -0,0 +1,11 @@
+diff --git a/session.c b/session.c
+--- a/session.c
++++ b/session.c
+@@ -1859,6 +1859,7 @@ do_child(Session *s, const char *command)
+ 
+ 	if (s->is_subsystem == SUBSYSTEM_INT_SFTP_ERROR) {
+ 		printf("This service allows sftp connections only.\n");
++		logit("The session allows sftp connections only");
+ 		fflush(NULL);
+ 		exit(1);
+ 	} else if (s->is_subsystem == SUBSYSTEM_INT_SFTP) {

openssh.spec

@@ -237,6 +237,9 @@ Patch957: openssh-7.9p1-CVE-2018-20685.patch
 #  - do not return 0 if the write fails (full disk)
 #  - shellcheck reports (upstream #2902)
 Patch958: openssh-7.9p1-ssh-copy-id.patch
+# log when a client requests an interactive session and only sftp is allowed
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2960
+Patch959: openssh-7.9p1-log-sftp-only-connections.patch
 
 License: BSD
 Requires: /sbin/nologin
@@ -457,6 +460,7 @@ popd
 %patch956 -p1 -b .backports
 %patch957 -p1 -b .CVE-2018-20685
 %patch958 -p1 -b .ssh-copy-id
+%patch959 -p1 -b .log-sftp-only
 
 %patch200 -p1 -b .audit
 %patch201 -p1 -b .audit-race