[scponly] sftp problem with chroot on openbsd
domenico.albanese at hermess.it
domenico.albanese at hermess.it
Fri Jul 28 08:22:19 EDT 2006
Thank you for your software, works great on debian. But, if I try on
openbsd 3.9 i could not establish an sftp connection. Here is what I
do:
############################################
root at grog:/tmp# uname -a
OpenBSD grog.anarcode.it 3.9 GENERIC#617 i386
root at grog:/tmp# wget http://www.sublimation.org/scponly/scponly-4.6.tgz
--08:12:50-- http://www.sublimation.org/scponly/scponly-4.6.tgz
=> `scponly-4.6.tgz'
Resolving www.sublimation.org... 66.92.190.128
Connecting to www.sublimation.org|66.92.190.128|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 96,578 (94K) [application/x-tar]
100%[=======================================
==========================================
===========================================
=========================================>] 96,578 40.56K/s
08:12:53 (40.49 KB/s) - `scponly-4.6.tgz' saved [96578/96578]
root at grog:/tmp# tar xzf scponly-4.6.tgz
root at grog:/tmp# cd scponly-4.6
root at grog:/tmp/scponly-4.6# ./configure --enable-chrooted-binary
--enable-scp-compat --enable-sftp-server
checking build system type... i386-unknown-openbsd3.9
checking host system type... i386-unknown-openbsd3.9
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ANSI C... none needed
checking for a BSD-compatible install... /usr/bin/install -c
checking whether ln -s works... yes
checking for cut... /usr/bin/cut
checking for grep... /usr/bin/grep
checking for sort... /usr/bin/sort
checking for ldd... /usr/bin/ldd
checking for useradd... /usr/sbin/useradd
checking for chown... /usr/sbin/chown
checking for chmod... /bin/chmod
checking for dirname... /usr/bin/dirname
checking for id... /usr/bin/id
checking for pw... no
checking for rm... /bin/rm
checking for pwd_mkdb... /usr/sbin/pwd_mkdb
configure: enabling core WinSCP and Vanilla SCP binaries...
checking for sftp-server... /usr/libexec/sftp-server
checking for ls... /bin/ls
checking for scp... /usr/bin/scp
checking for rm... /bin/rm
checking for ln... /bin/ln
checking for mv... /bin/mv
checking for chmod... /bin/chmod
checking for chown... /usr/sbin/chown
checking for chgrp... /usr/sbin/chgrp
checking for mkdir... /bin/mkdir
checking for rmdir... /bin/rmdir
configure: enabling WinSCP compatability...
checking for pwd... /bin/pwd
checking for groups... /usr/bin/groups
checking for id... /usr/bin/id
checking for echo... /bin/echo
configure: enabling SFTP compatability...
checking for sftp-server... (cached) /usr/libexec/sftp-server
checking how to run the C preprocessor... gcc -E
checking for egrep... grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking syslog.h usability... yes
checking syslog.h presence... yes
checking for syslog.h... yes
checking for unistd.h... (cached) yes
checking wordexp.h usability... no
checking wordexp.h presence... no
checking for wordexp.h... no
checking glob.h usability... yes
checking glob.h presence... yes
checking for glob.h... yes
checking libgen.h usability... yes
checking libgen.h presence... yes
checking for libgen.h... yes
checking getopt.h usability... yes
checking getopt.h presence... yes
checking for getopt.h... yes
checking for an ANSI C-conforming const... yes
checking for inline... inline
checking for working alloca.h... no
checking for alloca... yes
checking for malloc... yes
checking for atexit... yes
checking for bzero... yes
checking for strchr... yes
checking for strerror... yes
checking for glob... yes
checking for wordexp... no
checking for strspn... yes
checking for basename... yes
checking for getopt... yes
checking whether optreset is declared... yes
configure: creating ./config.status
config.status: creating Makefile
config.status: creating setup_chroot.sh
config.status: creating config.h
root at grog:/tmp/scponly-4.6# make
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H
-DDEBUGFILE='"/usr/local/etc/scponly/debuglevel"' -o scponly.o -c
scponly.c
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H
-DDEBUGFILE='"/usr/local/etc/scponly/debuglevel"' -o helper.o -c
helper.c
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H
-DDEBUGFILE='"/usr/local/etc/scponly/debuglevel"' -o scponly scponly.o
helper.o
scponly.o(.text+0x1a7): In function `main':
/tmp/scponly-4.6/scponly.c:232: warning: strcpy() is almost always
misused, please use strlcpy()
gcc -g -O2 -I. -I. -DHAVE_CONFIG_H
-DDEBUGFILE='"/usr/local/etc/scponly/debuglevel"' -o groups groups.c
root at grog:/tmp/scponly-4.6# make install
echo "0" > debuglevel
/usr/bin/install -c -d /usr/local/bin
/usr/bin/install -c -d /usr/local/man/man8
/usr/bin/install -c -d /usr/local/etc/scponly
/usr/bin/install -c -o 0 -g 0 scponly /usr/local/bin/scponly
/usr/bin/install -c -o 0 -g 0 -m 0644 scponly.8 /usr/local/man/man8/scponly.8
/usr/bin/install -c -o 0 -g 0 -m 0644 debuglevel
/usr/local/etc/scponly/debuglevel
if test "xscponlyc" != "x"; then
/usr/bin/install -c -d /usr/local/sbin;
rm -f /usr/local/sbin/scponlyc; cp scponly
scponlyc; /usr/bin/install -c -o 0 -g 0 -m
4755 scponlyc /usr/local/sbin/scponlyc; fi
root at grog:/tmp/scponly-4.6# echo /usr/local/bin/scponly >> /etc/shells
root at grog:/tmp/scponly-4.6# echo /usr/local/sbin/scponlyc >> /etc/shells
root at grog:/tmp/scponly-4.6# echo 1 > /usr/local/etc/scponly/debuglevel
root at grog:/tmp/scponly-4.6# adduser
Use option ``-silent'' if you don't want to see all warnings and questions.
Reading /etc/shells
Check /etc/master.passwd
Check /etc/group
Ok, let's go.
Don't worry about mistakes. I will give you the chance later to
correct any input.
Enter username []: gino
Enter full name []:
Enter shell bash csh ksh nologin scponly scponlyc sh [ksh]: scponly
Uid [1001]:
Login group gino [gino]:
Login group is ``gino''. Invite gino into other groups: guest no
[no]:
Login class daemon default staff [default]:
Enter password []:
Enter password again []:
Name: gino
Password: ****
Fullname: gino
Uid: 1001
Gid: 999 (gino)
Groups: gino
Login Class: default
HOME: /home/gino
Shell: /usr/local/bin/scponly
OK? (y/n) [y]: y
Added user ``gino''
Copy files from /etc/skel to /home/gino
Add another user? (y/n) [y]: n
Goodbye!
root at grog:/tmp/scponly-4.6#
## LET'S TRY, FROM ANOTHER PC.......
origano at mosquito:~$ scp file-1.txt gino at grog:/home/gino
gino at grog's password:
file-1.txt 100% 13KB
12.5KB/s 00:00
origano at mosquito:~$ sftp gino at grog
Connecting to grog...
gino at grog's password:
sftp> put file-2.txt
Uploading file-2.txt to /home/gino/file-2.txt
file-2.txt 100% 13KB
12.5KB/s 00:00
sftp> quit
origano at mosquito:~$
## .... AND THE LOG FILE .....
root at grog:/tmp/scponly-4.6# more /var/log/secure
Jul 28 08:30:23 grog scponly[12265]: 3 arguments in total.
Jul 28 08:30:23 grog scponly[12265]: arg 0 is scponly
Jul 28 08:30:23 grog scponly[12265]: arg 1 is -c
Jul 28 08:30:23 grog scponly[12265]: arg 2 is scp -t /home/gino
Jul 28 08:30:23 grog scponly[12265]: opened log at LOG_AUTHPRIV, opts 0x00000009
Jul 28 08:30:23 grog scponly[12265]: retrieved home directory of
"/home/gino" for user "gino"
Jul 28 08:30:23 grog scponly[12265]: setting uid to 1001
Jul 28 08:30:23 grog scponly[12265]: processing request: "scp -t /home/gino"
Jul 28 08:30:23 grog scponly[12265]: running: /usr/bin/scp -t
/home/gino (username: gino(1001), IP/port: 192.168.1.254 32780 22)
Jul 28 08:30:32 grog scponly[23623]: 3 arguments in total.
Jul 28 08:30:32 grog scponly[23623]: arg 0 is scponly
Jul 28 08:30:32 grog scponly[23623]: arg 1 is -c
Jul 28 08:30:32 grog scponly[23623]: arg 2 is /usr/libexec/sftp-server
Jul 28 08:30:32 grog scponly[23623]: opened log at LOG_AUTHPRIV, opts 0x00000009
Jul 28 08:30:32 grog scponly[23623]: retrieved home directory of
"/home/gino" for user "gino"
Jul 28 08:30:32 grog scponly[23623]: setting uid to 1001
Jul 28 08:30:32 grog scponly[23623]: processing request:
"/usr/libexec/sftp-server"
Jul 28 08:30:32 grog scponly[23623]: running: /usr/libexec/sftp-server
(username: gino(1001), IP/port: 192.168.1.254 32781 22)
## .... BUT I WANT THE CHROOT JAIL, SO.....
root at grog:/tmp/scponly-4.6# make jail
/usr/bin/install -c -d /usr/local/bin
/usr/bin/install -c -d /usr/local/man/man8
/usr/bin/install -c -d /usr/local/etc/scponly
/usr/bin/install -c -o 0 -g 0 scponly /usr/local/bin/scponly
/usr/bin/install -c -o 0 -g 0 -m 0644 scponly.8 /usr/local/man/man8/scponly.8
/usr/bin/install -c -o 0 -g 0 -m 0644 debuglevel
/usr/local/etc/scponly/debuglevel
if test "xscponlyc" != "x"; then
/usr/bin/install -c -d /usr/local/sbin;
rm -f /usr/local/sbin/scponlyc; cp scponly
scponlyc; /usr/bin/install -c -o 0 -g 0 -m
4755 scponlyc /usr/local/sbin/scponlyc; fi
chmod u+x ./setup_chroot.sh
./setup_chroot.sh
Next we need to set the home directory for this scponly user.
please note that the user's home directory MUST NOT be writeable
by the scponly user. this is important so that the scponly user
cannot subvert the .ssh configuration parameters.
for this reason, a writeable subdirectory will be created that
the scponly user can write into.
Username to install [scponly]pino
home directory you wish to set for this user [/home/pino]
name of the writeable subdirectory [incoming]
install: 0: No such file or directory
install: 1: No such file or directory
install: Ref: No such file or directory
creating /home/pino/incoming directory for uploading files
please set the password for pino:
Changing local password for pino.
New password:
Retype new password:
if you experience a warning with winscp regarding groups, please install
the provided hacked out fake groups program into your chroot, like so:
cp groups /home/pino/bin/groups
root at grog:/tmp/scponly-4.6# cp groups /home/pino/bin/groups
root at grog:/tmp/scponly-4.6# echo 1 > /usr/local/etc/scponly/debuglevel
## .... LET'S TRY AGAIN .....
origano at mosquito:~$ scp file-1.txt pino at grog:/incoming
pino at grog's password:
/usr/bin/scp: can't load library 'libc.so.39.0'
lost connection
origano at mosquito:~$
## ... OK ....
root at grog:/tmp/scponly-4.6# mkdir /home/pino/usr/lib/
root at grog:/tmp/scponly-4.6# cp /usr/lib/libc.so.39.0 /home/pino/usr/lib/
root at grog:/tmp/scponly-4.6#
## ... AGAIN ...
origano at mosquito:~$ scp file-1.txt pino at grog:/incoming
pino at grog's password:
Couldn't open /dev/null: No such file or directorylost connection
origano at mosquito:~$
## ... NO PROBLEM ....
root at grog:/tmp/scponly-4.6# mkdir /home/pino/dev/
root at grog:/tmp/scponly-4.6# mknod /home/pino/dev/null c 2 2
root at grog:/tmp/scponly-4.6# chmod 666 /home/pino/dev/null
root at grog:/tmp/scponly-4.6#
## ... AND AGAIN ...
origano at mosquito:~$ scp file-1.txt pino at grog:/incoming
pino at grog's password:
file-1.txt 100% 13KB
12.5KB/s 00:00
origano at mosquito:~$
## ... HERE IS THE LOG ...
root at grog:/tmp/scponly-4.6# more /var/log/secure
Jul 28 09:03:53 grog scponly[4027]: chrooted binary in place, will chroot()
Jul 28 09:03:53 grog scponly[4027]: 3 arguments in total.
Jul 28 09:03:53 grog scponly[4027]: arg 0 is scponlyc
Jul 28 09:03:53 grog scponly[4027]: arg 1 is -c
Jul 28 09:03:53 grog scponly[4027]: arg 2 is scp -t /incoming
Jul 28 09:03:53 grog scponly[4027]: opened log at LOG_AUTHPRIV, opts 0x00000009
Jul 28 09:03:53 grog scponly[4027]: retrieved home directory of
"/home/pino" for user "pino"
Jul 28 09:03:53 grog scponly[4027]: chrooting to dir: "/home/pino"
Jul 28 09:03:53 grog scponly[4027]: chdiring to dir: "/"
Jul 28 09:03:53 grog scponly[4027]: setting uid to 1002
Jul 28 09:03:53 grog scponly[4027]: processing request: "scp -t /incoming"
Jul 28 09:03:53 grog scponly[4027]: running: /usr/bin/scp -t /incoming
(username: pino(1002), IP/port: 192.168.1.254 32796 22)
## .... AND SFTP .....
origano at mosquito:~$ sftp pino at grog
Connecting to grog...
pino at grog's password:
Connection closed
origano at mosquito:~$
## .... FAILED WITH THIS LOG .....
Jul 28 09:09:21 grog scponly[26603]: chrooted binary in place, will chroot()
Jul 28 09:09:21 grog scponly[26603]: 3 arguments in total.
Jul 28 09:09:21 grog scponly[26603]: arg 0 is scponlyc
Jul 28 09:09:21 grog scponly[26603]: arg 1 is -c
Jul 28 09:09:21 grog scponly[26603]: arg 2 is /usr/libexec/sftp-server
Jul 28 09:09:21 grog scponly[26603]: opened log at LOG_AUTHPRIV, opts 0x00000009
Jul 28 09:09:21 grog scponly[26603]: retrieved home directory of
"/home/pino" for user "pino"
Jul 28 09:09:21 grog scponly[26603]: chrooting to dir: "/home/pino"
Jul 28 09:09:21 grog scponly[26603]: chdiring to dir: "/"
Jul 28 09:09:21 grog scponly[26603]: setting uid to 1002
Jul 28 09:09:21 grog scponly[26603]: processing request:
"/usr/libexec/sftp-server"
Jul 28 09:09:21 grog scponly[26603]: running: /usr/libexec/sftp-server
(username: pino(1002), IP/port: 192.168.1.254 32797 22)
############################################
I don't understand, what I do wrong?
Please help me.
Thank you in advance.
Domenico
More information about the scponly
mailing list