[scponly] sftp with scponlyc

Joe Rice riceja at water-melon.net
Thu Jul 31 10:19:15 EDT 2003 

Hi,
  I just ran into this as a problem yesterday.  Because of the order configure.in has the search path
for sftp-server defined, i was taken for a ride trying to get the chroot to work.  sftp-server resides
in /usr/libexec/openssh in redhat 9.  I had installed a newer version of openssh into /usr/local
and had confirmed that my chroot environment worked with /usr/local/libexec/sftp-server.  But, because
scponly had the other path embedded to sftp-server, sftp clients couldn't connect.  After a few
strace sessions i figured this out.  I then changed the path in config.h and compiled again.  everything
worked after that.

I'm going to try and get the ssh that ships with redhat 9 to work in the chroot.  right now it is getting
hung up on /usr/kerberos/lib/libkrb5.so.3 (which of course is in the chroot tree).  Any insight would
be appreciated.  If i have any success, I'll post my findings.

thanks,
joe

wby oblyr(joe at sublimation.org)@Thu, Jul 31, 2003 at 01:03:30AM -0700:
> roger,
> 
> one thing to note when custom building your own chrooted scponly environments, is that the ./configure script tries to find the location of 
> your binaries in your "real" filesystem - it then embeds these values into the scponly binary itself as immutable full pathnames.  it does 
> this to alleviate/prevent searching a PATH for a matching executable.  this is security paranoia, really.  in any case, the automatic chroot 
> builder tries to put binaries in your chrooted system in the same relative place as they were located in your real filesystem.  for example, 
> if you have a /usr/local/openssh/sftp-server, the chroot builder will put the sftp-server bin in /chrooted/usr/local/openssh/sftp-server and 
> NOT /chrooted/bin/sftp-server or /chrooted/usr/bin/sftp-server, etc.
> 
> maybe that will help some? unfortunately, i'm not well versed in the various revision levels and nuances of the various ssh systems so i 
> cant say specifically why you're having the problems you described.  if you have more troubles, keep sending to the list and i will try to 
> keep an eye on it.
> 
> anyway, good luck,
> joe
> 
> roger at rope.net wrote this message on Wed, Jul 30, 2003 at 18:07 -0600:
> > On Wed, 30 Jul 2003 roger at rope.net wrote:
> > 
> > > 	Well, it looks like I'm getting closer to the answer, but there's
> > > a ways to go, yet. Any pointers would be appreciated. Thanks.
> > 
> > 	Status: With a newer sftp that I tested, I was able to specify the
> > path to the sftp-server from the commandline, and that worked.
> > 
> > 	Unfortunately, even though the man page says you can do it with
> > the older sftp I have, it actually doesn't.
> > 
> > 	So, it all works "good enuff". Linux users can use the "latest"
> > sftp and Windows users can use WinSCP/sftp and the environment is chrooted
> > for security.
> > 
> > 	Next to do is to pare down the chroot environment, as I have
> > undoubtedly added a lot of extraneous stuff because I thought that
> > environment was incomplete...
> > 
> > -- 
> > Roger Walker                    spam free @ http://www.evsmail.com
> > Voice/Fax 1-780-440-2685                    http://www.rat-hole.com
> > "HIS Pain - OUR Gain"                       http://www.man-from-linux.com
> > 
> > 
> > _______________________________________________
> > scponly mailing list
> > scponly at lists.ccs.neu.edu
> > https://lists.ccs.neu.edu/bin/listinfo/scponly
> 
> -- 
> ----
> 
> PGP KEY: http://www.sublimation.org/contact.html
> PGP Key fingerprint = EC4B 0DA5 B4F6 BDDD 9176 55D6 3A6A 7D63 158F 22D2 
> 
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly

More information about the scponly mailing list