[scponly] scp failing in chrooted environment

Anthony Brock Anthony_Brock at ous.edu
Mon Apr 11 16:34:00 EDT 2005 

Paul,

My SuSE system required the 'lib/tls' directory to resolve some VERY weird behavior. Otherwise, you need the appropriate pam security modules in 'lib/security'.  For example, a pam configuration in '/etc/pam.d/sshd' of:

auth required   pam_unix2.so # set_secrpc
auth required   pam_nologin.so
auth required   pam_env.so
account required        pam_unix2.so
account required        pam_nologin.so
password required       pam_pwcheck.so
password required       pam_unix2.so    use_first_pass use_authtok
session required        pam_unix2.so    none     # trace or debug
session required        pam_limits.so

would require (at least):

lib/security/pam_unix2.so
lib/security/pam_nologin.so
lib/security/pam_env.so
lib/security/pam_pwcheck.so
lib/security/pam_limits.so

Also, I had to copy the '/etc/security/' directory to 'etc/security/'. Building the chroot seemed to be more of an art form than anything else. However, I'm not positive that everything listed above is absolutely necessary for things to function. I would recommend the liberal use of 'sshd -ddd' when trying to discover what is necessary.

Good luck!

Tony


>>> Paul Jones <shagreel at gmail.com> 04/11/05 12:35PM >>>
That very well could be the problem. I am running on suse linux with 
openssh. I am using pam_ldap and nss_ldap to lookup the users and so forth. 
So, /etc/passwd does not have the user info in it. Any idea what needs to be 
in the chrooted environment for pam_ldap to work?

Paul

On Apr 11, 2005 12:55 PM, Paul Hyder <Paul.Hyder at noaa.gov> wrote:
> 
> Which operating system and ssh? (e.g. The OpenSSH scp calls getpwuid to
> verify the UID and since it is run after the chroot it could be something
> simple like your chrooted /etc/passwd is missing or unreadable; but the
> passwd file isn't always the cause. With OpenSSH it does mean the
> getpwuid is returning NULL.)
> Paul Hyder
> NOAA Forecast Systems Lab
> Boulder, CO.
> 
> Paul Jones wrote:
> > I have set up scponly and it is almost working perfectly. I use it with 
> the
> > chroot option. rsync works, sftp works, but scp does not. scp complains:
> > "unknown user 10001" 10001 is the correct user id. I am thinking that I 
> have
> > just left something out the the chrooted area that it needs, but I can 
> not
> > figure out what. usr/bin/id, usr/bin/groups, usr/bin/scp are all there. 
> Any
> > thoughts about what might be wrong?
> >
> > Paul
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > scponly mailing list
> > scponly at lists.ccs.neu.edu 
> > https://lists.ccs.neu.edu/bin/listinfo/scponly 
>

More information about the scponly mailing list