[scponly] Problems with sftp and new logging options

Kaleb Pederson kibab at icehouse.net
Sat Dec 9 18:01:34 EST 2006 

Thanks Yavor.  You can now use OpenSSH to limit users to the sftp subsystem if 
that's all you need:

Match User restricted-user
   ForceCommand /usr/libexec/sftp-server

A couple of related links (see the caveats they list):

http://www.networksecurityarchive.org/html/Secure-Shell/2006-11/msg00050.html
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=115145598610868&w=2

Scponly can also be configured this way without passing anything special:

./configure by itself should work

Although to be secure, I would probably do:

./configure --disable-wildcards --disable-gftp-compat --enable-chrooted-binary

I hope that helps.

--Kaleb




On Saturday 09 December 2006 05:59, you wrote:
> I am using openssh 4.4_p1-r6 on gentoo.
>
> As far as I can tell this was newly introduced and I saw some reference in
> the gentoo mailing lists that this has depricated the sftp-loggin patch
> which was what I was using before.
>
> Apparently this was released in openssh main release, here is the man page
> http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8
>
> Can you provide any information regarding restricting a user to sftp only.
>
> Regards,
> Yavor
>
> On 12/8/06, Kaleb Pederson <kibab at icehouse.net> wrote:
> > Hmmm... Which version of OpenSSH and do you have a link to the verbose
> > mode in
> > question?
> >
> > It sounds like we should patch this fairly quickly.
> >
> > BTW (not directly related to this e-mail), I noticed a while back that
> > OpenSSH
> > can now limit users to a specific subsystem, so OpenSSH could be used
> > without
> > scponly where SFTP support is all that is needed.
> >
> > Thanks for the report.
> >
> > --Kaleb
> >
> > On Thursday 07 December 2006 23:36, Yavor Shahpasov wrote:
> > > Hello List,
> > >
> > > I am trying to use scponly with the new logging functionality in
> >
> > openssh.
> >
> > > # Old
> > > Subsystem       sftp    /usr/lib/misc/sftp-server
> > > # New
> > > Subsystem      sftp    /usr/lib/misc/sftp-server -f USER -l VERBOSE
> > >
> > > These new parameter seem to make scponly to fail the requests
> > >
> > > Dec  7 04:07:02 **** scponly[13163]: processing request:
> > > "/usr/lib/misc/sftp-server -f USER -l VERBOSE"
> > > Dec  7 04:07:02 **** scponly[13163]: denied request:
> > > /usr/lib/misc/sftp-server -f USER -l VERBOSE [username: ****(1003),
> > > IP/port: ** 51096 22]
> > >
> > > Is it possible that this can be made to work.
> > >
> > > Best Regards,
> > > Yavor Shahpasov
> >
> > _______________________________________________
> > scponly mailing list
> > scponly at lists.ccs.neu.edu
> > https://lists.ccs.neu.edu/bin/listinfo/scponly

More information about the scponly mailing list