[scponly] scponly 4.6 on OpenBSD 3.9

Sat Aug 19 20:21:04 EDT 2006

Hello all,

I am unable to get WinSCP to successfully authenticate an sftp session. Here is my configuration:

- OpenBSD 3.9 install with some basic packages.
- scponly 4.6
- WinSCP 3.8.2

Here is how it went down:

-----snip-----
bash-3.1# ./configure --enable-chrooted-binary
checking build system type... i386-unknown-openbsd3.9
checking host system type... i386-unknown-openbsd3.9
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking for a BSD-compatible install... /usr/bin/install -c
checking whether ln -s works... yes
checking for cut... /usr/bin/cut
checking for grep... /usr/bin/grep
checking for sort... /usr/bin/sort
checking for ldd... /usr/bin/ldd
checking for useradd... /usr/sbin/useradd
checking for chown... /sbin/chown
checking for chmod... /bin/chmod
checking for dirname... /usr/bin/dirname
checking for id... /usr/bin/id
checking for pw... no
checking for rm... /bin/rm
checking for pwd_mkdb... /usr/sbin/pwd_mkdb
configure: enabling WinSCP compatability...
checking for pwd... /bin/pwd
checking for groups... /usr/bin/groups
checking for id... /usr/bin/id
checking for echo... /bin/echo
configure: enabling SFTP compatability...
checking for sftp-server... /usr/libexec/sftp-server
checking how to run the C preprocessor... gcc -E
checking for egrep... grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking syslog.h usability... yes
checking syslog.h presence... yes
checking for syslog.h... yes
checking for unistd.h... (cached) yes
checking wordexp.h usability... no
checking wordexp.h presence... no
checking for wordexp.h... no
checking glob.h usability... yes
checking glob.h presence... yes
checking for glob.h... yes
checking libgen.h usability... yes
checking libgen.h presence... yes
checking for libgen.h... yes
checking getopt.h usability... yes
checking getopt.h presence... yes
checking for getopt.h... yes
checking for an ANSI C-conforming const... yes
checking for inline... inline
checking for working alloca.h... no
checking for alloca... yes
checking for malloc... yes
checking for atexit... yes
checking for bzero... yes
checking for strchr... yes
checking for strerror... yes
checking for glob... yes
checking for wordexp... no
checking for strspn... yes
checking for basename... yes
checking for getopt... yes
checking whether optreset is declared... yes
configure: creating ./config.status
config.status: creating Makefile
config.status: creating setup_chroot.sh
config.status: creating config.h
config.status: config.h is unchanged
bash-3.1#
bash-3.1#
bash-3.1#
bash-3.1# make
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/etc/scponly/debuglevel"' -o scponly.o -c scponly.c
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/etc/scponly/debuglevel"' -o helper.o -c helper.c
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/etc/scponly/debuglevel"' -o scponly scponly.o helper.o
scponly.o(.text+0x1a7): In function `main':
/usr/local/src/scponly/scponly-4.6/scponly.c:232: warning: strcpy() is almost always misused, please use strlcpy()
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/etc/scponly/debuglevel"' -o groups groups.c
bash-3.1# make install
echo "0" > debuglevel
/usr/bin/install -c -d /usr/local/bin
/usr/bin/install -c -d /usr/local/man/man8
/usr/bin/install -c -d /usr/local/etc/scponly
/usr/bin/install -c -o 0 -g 0 scponly /usr/local/bin/scponly
/usr/bin/install -c -o 0 -g 0 -m 0644 scponly.8 /usr/local/man/man8/scponly.8
/usr/bin/install -c -o 0 -g 0 -m 0644 debuglevel /usr/local/etc/scponly/debuglevel
if test "xscponlyc" != "x"; then /usr/bin/install -c -d /usr/local/sbin; rm -f /usr/local/sbin/scponlyc; cp scponly scponlyc; /usr/bin/install -c -o 0 -g 0 -m 4755 scponlyc /usr/local/sbin/scponlyc; fi
bash-3.1#
bash-3.1#
bash-3.1#
bash-3.1# echo /usr/local/sbin/scponlyc >> /etc/shells
bash-3.1#
bash-3.1#
bash-3.1#
bash-3.1# make jail
/usr/bin/install -c -d /usr/local/bin
/usr/bin/install -c -d /usr/local/man/man8
/usr/bin/install -c -d /usr/local/etc/scponly
/usr/bin/install -c -o 0 -g 0 scponly /usr/local/bin/scponly
/usr/bin/install -c -o 0 -g 0 -m 0644 scponly.8 /usr/local/man/man8/scponly.8
/usr/bin/install -c -o 0 -g 0 -m 0644 debuglevel /usr/local/etc/scponly/debuglevel
if test "xscponlyc" != "x"; then /usr/bin/install -c -d /usr/local/sbin; rm -f /usr/local/sbin/scponlyc; cp scponly scponlyc; /usr/bin/install -c -o 0 -g 0 -m 4755 scponlyc /usr/local/sbin/scponlyc; fi
chmod u+x ./setup_chroot.sh
./setup_chroot.sh

Next we need to set the home directory for this scponly user.
please note that the user's home directory MUST NOT be writeable
by the scponly user. this is important so that the scponly user
cannot subvert the .ssh configuration parameters.

for this reason, a writeable subdirectory will be created that
the scponly user can write into.

Username to install [scponly]
home directory you wish to set for this user [/home/scponly]
name of the writeable subdirectory [incoming]
install: 0: No such file or directory
install: 1: No such file or directory
install: Ref: No such file or directory

creating /home/scponly/incoming directory for uploading files
please set the password for scponly:
Changing local password for scponly.
New password:
Retype new password:
if you experience a warning with winscp regarding groups, please install
the provided hacked out fake groups program into your chroot, like so:
cp groups /home/scponly/bin/groups
bash-3.1#
bash-3.1#
bash-3.1# cp groups /home/scponly/bin/groups
-----snip-----

Here is /var/log/messages showing the user being added:

-----snip-----
Aug 18 15:15:12 web useradd[8460]: new user added: name=scponly, uid=1002, gid=10, home=/home/scponly, shell=/usr/local/sbin/scponlyc
-----snip-----

Now the WinSCP log showing the attempted login:

-----snip-----
. 2006-08-18 15:28:09.195 --------------------------------------------------------------------------
. 2006-08-18 15:28:09.195 WinSCP Version 3.8.2 (Build 330) (OS 5.1.2600 Service Pack 2)
. 2006-08-18 15:28:09.195 Login time: Friday, August 18, 2006 3:28:09 PM
. 2006-08-18 15:28:09.195 --------------------------------------------------------------------------
. 2006-08-18 15:28:09.195 Session name: scponly at 10.1.1.14
. 2006-08-18 15:28:09.195 Host name: 10.1.1.14 (Port: 22)
. 2006-08-18 15:28:09.195 User name: scponly (Password: Yes, Key file: No)
. 2006-08-18 15:28:09.195 Transfer Protocol: SFTP
. 2006-08-18 15:28:09.195 SSH protocol version: 2; Compression: No
. 2006-08-18 15:28:09.195 Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: No
. 2006-08-18 15:28:09.195 Ciphers: aes,blowfish,3des,WARN,des; Ssh2DES: No
. 2006-08-18 15:28:09.195 Ping type: -, Ping interval: 30 sec; Timeout: 15 sec
. 2006-08-18 15:28:09.195 SSH Bugs: -,-,-,-,-,-,-,-
. 2006-08-18 15:28:09.195 SFTP Bugs: -,-,-
. 2006-08-18 15:28:09.195 Proxy: none
. 2006-08-18 15:28:09.195 Return code variable: Autodetect; Lookup user groups: Yes
. 2006-08-18 15:28:09.195 Shell: default, EOL: 0
. 2006-08-18 15:28:09.195 Local directory: default, Remote directory: home, Update: No, Cache: Yes
. 2006-08-18 15:28:09.195 Cache directory changes: Yes, Permanent: Yes
. 2006-08-18 15:28:09.195 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes
. 2006-08-18 15:28:09.195 Alias LS: No, Ign LS warn: Yes, Scp1 Comp: No
. 2006-08-18 15:28:09.195 --------------------------------------------------------------------------
. 2006-08-18 15:28:09.195 Looking up host "10.1.1.14"
. 2006-08-18 15:28:09.195 Connecting to 10.1.1.14 port 22
. 2006-08-18 15:28:09.258 Waiting for the server to continue with the initialisation
. 2006-08-18 15:28:09.258 Looking for incoming data
. 2006-08-18 15:28:09.273 Select result is 1
. 2006-08-18 15:28:09.273 Server version: SSH-1.99-OpenSSH_4.3
. 2006-08-18 15:28:09.273 We claim version: SSH-2.0-WinSCP_release_3.8.2
. 2006-08-18 15:28:09.273 Using SSH protocol version 2
. 2006-08-18 15:28:09.273 Waiting for the server to continue with the initialisation
. 2006-08-18 15:28:09.273 Looking for incoming data
. 2006-08-18 15:28:09.273 Select result is 1
. 2006-08-18 15:28:09.273 Doing Diffie-Hellman group exchange
. 2006-08-18 15:28:09.273 Waiting for the server to continue with the initialisation
. 2006-08-18 15:28:09.273 Looking for incoming data
. 2006-08-18 15:28:09.476 Select result is 1
. 2006-08-18 15:28:09.476 Doing Diffie-Hellman key exchange
. 2006-08-18 15:28:09.617 Waiting for the server to continue with the initialisation
. 2006-08-18 15:28:09.617 Looking for incoming data
. 2006-08-18 15:28:09.679 Select result is 1
. 2006-08-18 15:28:09.836 Host key fingerprint is:
. 2006-08-18 15:28:09.836 ssh-rsa 2048 fc:e0:f4:08:c2:7e:91:24:fc:16:0d:e0:e7:a5:63:0b
. 2006-08-18 15:28:09.836 Initialised AES-256 client->server encryption
. 2006-08-18 15:28:09.836 Initialised HMAC-SHA1 client->server MAC algorithm
. 2006-08-18 15:28:09.836 Initialised AES-256 server->client encryption
. 2006-08-18 15:28:09.836 Initialised HMAC-SHA1 server->client MAC algorithm
. 2006-08-18 15:28:09.836 Waiting for the server to continue with the initialisation
. 2006-08-18 15:28:09.836 Looking for incoming data
. 2006-08-18 15:28:10.039 Select result is 1
! 2006-08-18 15:28:10.039 Using username "scponly".
. 2006-08-18 15:28:10.039 Waiting for the server to continue with the initialisation
. 2006-08-18 15:28:10.039 Looking for incoming data
. 2006-08-18 15:28:10.039 Select result is 1
. 2006-08-18 15:28:10.039 Waiting for the server to continue with the initialisation
. 2006-08-18 15:28:10.039 Looking for incoming data
. 2006-08-18 15:28:10.039 Select result is 1
. 2006-08-18 15:28:10.039 Keyboard-interactive authentication refused
. 2006-08-18 15:28:10.039 Session password prompt (scponly at 10.1.1.14's password: )
. 2006-08-18 15:28:10.039 Using stored password.
! 2006-08-18 15:28:10.054 Authenticating with pre-entered password.
. 2006-08-18 15:28:10.054 Sent password
. 2006-08-18 15:28:10.054 Waiting for the server to continue with the initialisation
. 2006-08-18 15:28:10.054 Looking for incoming data
. 2006-08-18 15:28:10.070 Select result is 1
. 2006-08-18 15:28:10.070 Access granted
. 2006-08-18 15:28:10.070 Waiting for the server to continue with the initialisation
. 2006-08-18 15:28:10.070 Looking for incoming data
. 2006-08-18 15:28:10.070 Select result is 1
. 2006-08-18 15:28:10.070 Opened channel for session
. 2006-08-18 15:28:10.070 Waiting for the server to continue with the initialisation
. 2006-08-18 15:28:10.070 Looking for incoming data
. 2006-08-18 15:28:10.070 Select result is 1
. 2006-08-18 15:28:10.070 Started a shell/command
. 2006-08-18 15:28:10.070 --------------------------------------------------------------------------
. 2006-08-18 15:28:10.070 Using SFTP protocol.
. 2006-08-18 15:28:10.070 Doing startup conversation with host.
> 2006-08-18 15:28:10.070 Type: SSH_FXP_INIT, Size: 5, Number: -1
> 2006-08-18 15:28:10.070 01,00,00,00,05,
. 2006-08-18 15:28:10.070 Sent 9 bytes
. 2006-08-18 15:28:10.070 There are 0 bytes remaining in the send buffer
. 2006-08-18 15:28:10.070 Waiting for another 4 bytes
. 2006-08-18 15:28:10.070 Looking for incoming data
. 2006-08-18 15:28:10.070 Select result is 1
. 2006-08-18 15:28:10.070 Server exited on signal "PIPE"
. 2006-08-18 15:28:10.070 Waiting for another 4 bytes
. 2006-08-18 15:28:10.070 Looking for incoming data
. 2006-08-18 15:28:10.273 Select result is 1
. 2006-08-18 15:28:10.273 All channels closed. Disconnecting
. 2006-08-18 15:28:10.273 Server closed network connection
. 2006-08-18 15:28:10.273 Waiting for another 4 bytes
. 2006-08-18 15:28:10.273 Looking for incoming data
* 2006-08-18 15:28:10.289 (ESshFatal) Cannot initialize SFTP protocol. Is the host running a SFTP server?
* 2006-08-18 15:28:10.289 Connection has been unexpectedly closed. Server sent command exit status 0.
-----snip-----

And now /var/log/secure showing the attempted connection:

-----snip-----
Aug 18 19:28:10 web scponly[27691]: running: /usr/libexec/sftp-server (username: scponly(1002), IP/port: 10.1.1.111 2027 22)
-----snip-----

Nothing helpful there. Anyway, doesn't appear to be a WinSCP problem because an sftp connection from another BSD box fails:

-----snip-----
-bash-3.00$ sftp scponly at 10.1.1.14
Connecting to 10.1.1.14...
scponly at 10.1.1.14's password:
Connection closed
-bash-3.00$
-----snip-----

sftp is running, though, because an sftp connection with a normal user (bash shell) succeeds:

-----snip-----
-bash-3.00$ sftp josh at 10.1.1.14
Connecting to 10.1.1.14...
josh at 10.1.1.14's password:
sftp> quit
-bash-3.00$
-----snip-----

So, I decided to try checking the libraries.  After some research, ran the following:

 -----snip-----
bash-3.1# ldd /usr/local/sbin/scponlyc
/usr/local/sbin/scponlyc:
Start End Type Open Ref GrpRef Name
00000000 00000000 exe 1 0 0 /usr/local/sbin/scponlyc
0b794000 2b7c5000 rlib 0 1 0 /usr/lib/libc.so.39.0
01e10000 01e10000 rtld 0 1 0 /usr/libexec/ld.so
bash-3.1#
bash-3.1#
bash-3.1#
bash-3.1# cp /usr/lib/libc.so.39.0 /home/scponly/usr/lib/
cp: /home/scponly/usr/lib/: No such file or directory
bash-3.1#
bash-3.1#
bash-3.1#
bash-3.1# mkdir /home/scponly/usr/lib
bash-3.1# cp /usr/lib/libc.so.39.0 /home/scponly/usr/lib/
bash-3.1#
-----snip-----

ld.so was already there, so no need to copy it. After copying libc.so.39.0, though, received the exact same error. Logs look exactly the same, so it appears that somthing else is breaking before the connection attempts to use the needed libraries.

Any help would be greately appreciated.

Josh

-------------- next part --------------
HTML attachment scrubbed and removed