[scponly] sftp with scponlyc

roger at rope.net roger at rope.net
Thu Jul 31 11:09:25 EDT 2003 

	To the list admin: I'd like to request/suggest that you set the
Reply-To: header to point back to the list. Thanks.

On Thu, 31 Jul 2003, Joe Rice wrote:

>   I just ran into this as a problem yesterday.  Because of the order
> configure.in has the search path for sftp-server defined, i was taken
> for a ride trying to get the chroot to work.  sftp-server resides in
> /usr/libexec/openssh in redhat 9.  I had installed a newer version of
> openssh into /usr/local and had confirmed that my chroot environment
> worked with /usr/local/libexec/sftp-server.  But, because scponly had
> the other path embedded to sftp-server, sftp clients couldn't connect.
> After a few strace sessions i figured this out.  I then changed the
> path in config.h and compiled again.  everything worked after that.
>
> I'm going to try and get the ssh that ships with redhat 9 to work in
> the chroot.  right now it is getting hung up on
> /usr/kerberos/lib/libkrb5.so.3 (which of course is in the chroot
> tree).  Any insight would be appreciated.  If i have any success, I'll
> post my findings.

	What I found is that the chroot script didn't seem to get all of
the libraries, or didn't put them in the correct paths. Some binaries are
looking for the library in an absolute path, and won't be found in the
$HOME/lib directory. 'ldd' will show complete paths where they are
required. (I am using Mandrake 9.1 and the filesystem layout that was
duplicated for chroot works fine.)

	Also, if the sftp allows it, you can specify the remote path to
sftp-server (but the one that prompted my first post to the list didn't
have that capability, and was looking for "sftpserv" by default.

wby oblyr(joe at sublimation.org)@Thu, Jul 31, 2003 at 01:03:30AM -0700:
> one thing to note when custom building your own chrooted scponly
> environments, is that the ./configure script tries to find the
> location of your binaries in your "real" filesystem - it then embeds
> these values into the scponly binary itself as immutable full
> pathnames.  it does this to alleviate/prevent searching a PATH for a
> matching executable.  this is security paranoia, really.  in any case,
> the automatic chroot builder tries to put binaries in your chrooted
> system in the same relative place as they were located in your real
> filesystem.  for example, if you have a
> /usr/local/openssh/sftp-server, the chroot builder will put the
> sftp-server bin in /chrooted/usr/local/openssh/sftp-server and NOT
> /chrooted/bin/sftp-server or /chrooted/usr/bin/sftp-server, etc.
>
> maybe that will help some? unfortunately, i'm not well versed in the
> various revision levels and nuances of the various ssh systems so i
> cant say specifically why you're having the problems you described.
> if you have more troubles, keep sending to the list and i will try to
> keep an eye on it.

	As noted in my previous post, sftp and rsync are now working in
the chroot environment (except for my one system using an older sftp, but
I'll have full ssh access anyway, so not an issue - nice to know if a
client is having issues, though). Because I thought the issue was the
chroot environment, I probably added much more to it than is necessary, so
I'll be paring it down. Once I get the bare minimum, I'll use that to
clone my other chroot environments.

	Thanks, all, for the comments.

-- 
Roger Walker                    spam free @ http://www.evsmail.com
Voice/Fax 1-780-440-2685                    http://www.rat-hole.com
"HIS Pain - OUR Gain"                       http://www.man-from-linux.com

More information about the scponly mailing list