[scponly] SCPOnly 4.0, ftp login no longer working
bishop
bishop at platypus.bc.ca
Tue Mar 22 05:13:02 EST 2005
Hi Rushani,
Sorry that this email is long.
Hideyuki KURASHINA wrote:
> Hi,
>
>>>>On Mon, 21 Mar 2005 16:55:14 -0800, bishop <bishop at platypus.bc.ca> said:
>
>>After upgrading to SCPOnly 4.0, one of my users, who enjoys ftp access,
>>noticed that he's no longer able to log into the ftp server. I tried
>>this myself, noticing that scponly now seems to forbid ftp access.
>>Users with cvsonly, for instance, had no such problem.
>
> scponly does not allow FTP access, but just SFTP (and others).
Oh, but it *did*. 3.9 allowed ftp access without a problem, and
provided an excellent 'cross over' config for people who think ftp is
the only way to transfer files. 4.0 forbids it.
> [root at shuttle root]# rpm -i scponly-3.9-1.1.rh9.i386.rpm
> [root at shuttle root]# usermod -s `which scponly` bishop
> [root at shuttle root]# ftp localhost
> Connected to localhost (127.0.0.1).
> 220 shuttle FTP server (Version wu-2.7.0-13) ready.
> Name (localhost:root): bishop
> 331 Password required for bishop.
> Password:
> 230 User bishop logged in. Access restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> bye
> 221 Goodbye.
> [root at shuttle root]# rpm -Fvh scponly-4.0-1.2.rh9.i386.rpm
> [root at shuttle root]# ftp localhost
> Connected to localhost (127.0.0.1).
> 220 shuttle FTP server (Version wu-2.7.0-13) ready.
> Name (localhost:root): bishop
> 331 Password required for bishop.
> Password:
> 530 Login incorrect.
The behaviour is Definitely changed.
>>I'm curious to know if something changed between 3.9 and 4.0 that would
>>now forbid this. Both were built identically, and both installed via
>>the same process as well.
>
> How do you build it? Please provide details of your process.
The build procedure is pretty standard:
- patch to permit sane builds
(mainly disarming 'install -o' pitfalls and fixing one directory spec)
- %configure
> CFLAGS="${CFLAGS:--O2 -g -pipe -march=i386 -mcpu=i686}" ; export CFLAGS ;
> CXXFLAGS="${CXXFLAGS:--O2 -g -pipe -march=i386 -mcpu=i686}" ; export CXXFLAGS ;
> FFLAGS="${FFLAGS:--O2 -g -pipe -march=i386 -mcpu=i686}" ; export FFLAGS ;
> for i in $(find . -name config.guess 2>/dev/null) $(find . -name config.sub 2>/dev/null) ; do
> [ -f /usr/share/libtool/$(basename $i) ] && /bin/rm -f $i && /bin/cp -fv /usr/share/libtool/$(basename $i) $i ;
> done ;
> ./configure --host=i686-pc-linux-gnu --build=i686-pc-linux-gnu \
> --target=i386-redhat-linux-gnu \
> --program-prefix= \
> --prefix=/usr \
> --exec-prefix=/usr \
> --bindir=/usr/bin \
> --sbindir=/usr/sbin \
> --sysconfdir=/etc \
> --datadir=/usr/share \
> --includedir=/usr/include \
> --libdir=/usr/lib \
> --libexecdir=/usr/libexec \
> --localstatedir=/var \
> --sharedstatedir=/usr/com \
> --mandir=/usr/share/man \
> --infodir=/usr/share/info
- make
- %makeinstall:
> make \
> prefix=/usr \
> exec_prefix=/usr \
> bindir=/usr/bin \
> sbindir=/usr/sbin \
> sysconfdir=/etc \
> datadir=/usr/share \
> includedir=/usr/include \
> libdir=/usr/lib \
> libexecdir=/usr/libexec \
> localstatedir=/var \
> sharedstatedir=/usr/com \
> mandir=/usr/share/man \
> infodir=/usr/share/info \
> install
There is no difference in the procedure between the two builds. I can
give you two SRPMs, but I don't know if they would be useful for you.
> Without applying any flag to a configure script, ``scponly'' binary built
> from source works fine here (of course, both SCP and SFTP).
*ftp*, and not *sftp*. I'd like to see FTPS, so we have features and
privacy, but FTPS is so unknown that people can't even discern it from
SFTP, let alone know to request it.
>>So, first-off, any intentional code change that would change this
>>behaviour? A true to a false, perhaps?
>
> I don't know... What about your log file? Is there any changes
> after upgrading your scponly binary?
Unfortunately, no. In one case the user is permitted login, and in the
other case the user is not:
> Mar 22 04:20:48 shuttle ftpd[12947]: wu-ftpd - TLS settings: control allow, client_cert allow, data allow
> Mar 22 04:20:51 shuttle ftp(pam_unix)[12947]: session opened for user bishop by (uid=0)
> Mar 22 04:21:39 shuttle ftpd[12961]: wu-ftpd - TLS settings: control allow, client_cert allow, data allow
> Mar 22 04:21:44 shuttle ftpd[12961]: failed login from shuttle [127.0.0.1]
> Mar 22 04:21:45 shuttle ftpd[12961]: FTP session closed
No more info than that. No messages about commands not permitted, no
missing shell messages (the RPM takes care of that) or anything. I
suspect that some check that PAM was doing before which now seems to
fail, but I can't guess which it is.
>>If someone can point me to the CVS, I'd greatly appreciate it.
>
> It seems that CVSweb on http://sublimation.org/cgi-bin/cvsweb/scponly/
> is not configured well. Get diff between
>
> http://www.sublimation.org/scponly/scponly-4.0.tgz
>
> and
>
> http://www.sublimation.org/scponly/scponly-3.9.tgz
>
> manually.
Yes, I will do that, if there is no other option. It's too bad that
read-only CVS seems to be broken on the main site: That ability to see
the context and timing of changes to the source has been invaluable in
other cases.
Hey, 2100 lines of udiff. Unfortunately I have work to do - my regular
job is coding unix apps and not admin stuff - so this course of action
may have to wait. Ironically, I've downgraded the SCPONLY binary to
remove CVS support, just for testing this bug, and now I'll be swapping
out the user's shell to be cvsonly (which only provides a subset of
scponly 3.9's features), just so he can use FTP to transfer his stuff
because scponly 4.0 removed that bug-not-feature. At least he can FTP
and I can sleep soundly, when I do.
I may not be the only one to hope that scponly shell would allow ftp access:
http://textdrive.com/support/?_a=knowledgebase&_j=questiondetails&_i=70 (#3)
https://www.freebsd.uwaterloo.ca/twiki/bin/view/Freebsd/MailServer#Edit_etc_shells_so_that_ftp_will
I'm sure there are more, who either haven't upgraded to the secure 4.0
(eep!) or maybe haven't noticed the problem.
- bish
More information about the scponly
mailing list