[scponly] sftp not working, but scp does

Brian Davis bridavis at comcast.net
Tue Nov 28 23:21:22 EST 2006 

Hi Paul & list,

Permissions look OK to me:

-rwxr-xr-x 1 root root 54824 Nov 28 20:09 sftp-server

All the needed libs are in the chroot:

flagg ~ # ldd /raid/chroot/www/test/usr/lib/misc/sftp-server
        libresolv.so.2 => /lib/libresolv.so.2 (0x54460000)
        libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x54416000)
        libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x5428e000)
        libdl.so.2 => /lib/libdl.so.2 (0x5428a000)
        libutil.so.1 => /lib/libutil.so.1 (0x54286000)
        libz.so.1 => /lib/libz.so.1 (0x5426f000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x54259000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x5422b000)
        libc.so.6 => /lib/libc.so.6 (0x5410b000)
        /lib/ld-linux.so.2 (0x54476000)

/raid/chroot/www/test/lib:
total 1668
-rwxr-xr-x 1 root root   92164 Nov 28 20:09 ld-linux.so.2
-rwxr-xr-x 1 root root 1164276 Nov 28 20:09 libc.so.6
-rwxr-xr-x 1 root root   21876 Nov 28 20:09 libcrypt.so.1
-rwxr-xr-x 1 root root    9588 Nov 28 20:09 libdl.so.2
-rwxr-xr-x 1 root root   76444 Nov 28 20:09 libnsl.so.1
-rwxr-xr-x 1 root root   30328 Nov 28 20:09 libnss_compat-2.3.6.so
-rwxr-xr-x 1 root root   30328 Nov 28 20:09 libnss_compat.so.2
-rwxr-xr-x 1 root root   63644 Nov 28 20:09 libpthread.so.0
-rwxr-xr-x 1 root root   63104 Nov 28 20:09 libresolv.so.2
-rwxr-xr-x 1 root root   30536 Nov 28 20:09 librt.so.1
-rwxr-xr-x 1 root root    9588 Nov 28 20:09 libutil.so.1
-rwxr-xr-x 1 root root   87368 Nov 28 20:09 libz.so.1

/raid/chroot/www/test/usr/lib:
total 1880
drwxr-xr-x 3 root root      30 Nov 28 20:08 binutils
-rwxr-xr-x 1 root root 1587288 Nov 28 20:09 libcrypto.so.0.9.8
-rwxr-xr-x 1 root root   34144 Nov 28 20:09 libpopt.so.0
-rwxr-xr-x 1 root root  297420 Nov 28 20:09 libssl.so.0.9.8
drwxr-xr-x 2 root root      24 Nov 28 20:09 misc

OS is up-to-date Gentoo hardened stable:
flagg scponly # uname -a
Linux flagg 2.6.16-hardened-r11 #3 SMP Tue Nov 28 14:00:57 EST 2006 i686 
Celeron (Mendocino) GenuineIntel GNU/Linux

configure options were:
                --enable-scp-compat \
                --enable-winscp-compat \
                --enable-rsync-compat \
                --enable-chrooted-binary \

At this point, I'm not which step to take next. Any (more) ideas would 
be appreciated.

Thanks,
Brian

Paul Hyder wrote:
> This appears to be an incomplete jail configuration.  Generally means there
> is a library that needs to be added for the sftp-server.
>
> 1.  Verify the sftp-server permissions (/raid/chroot/www/test/usr/lib/misc/sftp-server)
>
> 2.  Run ldd on the sftp-server binary and make sure all of the listed libraries
>     are installed in the correct location for the jail.  If they are all present
>     run ldd on the libraries and make sure they don't need a missing library.
>
> Server OS and configure options?
>     Paul Hyder
>
> Brian Davis wrote:
>   
>> Here is the detailed debug, for scponly and sshd.  Looks like I still 
>> need to turn on more debugging somewhere.  As a point of reference, SFTP 
>> does work for non scponly users.
>>
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: subsystem: exec() 
>> /usr/lib/misc/sftp-server
>> Nov 28 14:30:29 flagg scponly[3511]: chrooted binary in place, will chroot()
>> Nov 28 14:30:29 flagg scponly[3511]: 3 arguments in total.
>> Nov 28 14:30:29 flagg scponly[3511]:    arg 0 is scponlyc
>> Nov 28 14:30:29 flagg scponly[3511]:    arg 1 is -c
>> Nov 28 14:30:29 flagg scponly[3511]:    arg 2 is /usr/lib/misc/sftp-server
>> Nov 28 14:30:29 flagg scponly[3511]: opened log at LOG_AUTHPRIV, opts 
>> 0x00000009
>> Nov 28 14:30:29 flagg scponly[3511]: retrieved home directory of 
>> "/raid/chroot/www/test//incoming" for user "test"
>> Nov 28 14:30:29 flagg scponly[3511]: chrooting to dir: 
>> "/raid/chroot/www/test"
>> Nov 28 14:30:29 flagg scponly[3511]: chdiring to dir: "/incoming"
>> Nov 28 19:30:29 flagg scponly[3511]: setting uid to 1003
>> Nov 28 19:30:29 flagg scponly[3511]: processing request: 
>> "/usr/lib/misc/sftp-server"
>> Nov 28 19:30:29 flagg scponly[3511]: running: /usr/lib/misc/sftp-server 
>> (username: test(1003), IP/port: 16.4.18.22 3059 8364)
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: Received SIGCHLD.
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: session_by_pid: pid 3511
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: session_exit_message: session 
>> 0 channel 0 pid 3511
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: session_exit_message: release 
>> channel 0
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: session_by_channel: session 0 
>> channel 0
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: session_close_by_channel: 
>> channel 0 child 0
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: session_close: session 0 pid 0
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: channel 0: free: 
>> server-session, nchannels 1
>> Nov 28 14:30:29 flagg sshd[3510]: Connection closed by 16.4.18.22
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: do_cleanup
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: PAM: cleanup
>> Nov 28 14:30:29 flagg sshd(pam_unix)[3510]: session closed for user test
>> Nov 28 14:30:29 flagg sshd[3510]: Closing connection to 16.4.18.22
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: PAM: cleanup
>>
>> Thanks,
>> Brian
>>
>>
>> Paul Hyder wrote:
>>     
>>> Sounds like the selected sftp server exits.
>>>
>>> Have you tried setting the debuglevel to 1?  (default install puts this
>>> file in /usr/local/etc/scponly, change it from 0 to 1)  The extended
>>> diagnostics should be useful.
>>>
>>> Would also help to know what options you used with configure and the
>>> server's operating system.
>>>    Paul Hyder
>>>    NOAA Earth System Research Laboratory, Global Systems Division
>>>    Boulder, CO
>>>
>>>
>>> Brian Davis wrote:
>>>   
>>>       
>>>> Hi,
>>>>
>>>> I'm using WinSCP 3.8.2. The session default of "SFTP (allow SCP 
>>>> fallback) is checked.  When WinSCP tries to connect, if gives the 
>>>> following error and immediately disconnects:
>>>>
>>>> "Cannot initalize SFTP protocol. Is the host running a SFTP server?
>>>> Connection has been unexpectedly closed. Server sent command exit status 
>>>> 255."
>>>>
>>>> However, selecting SCP for the session seems to work fine.  Here is my 
>>>> auth.log when trying sftp:
>>>>
>>>> Nov 26 22:14:41 flagg sshd[20279]: Accepted keyboard-interactive/pam for 
>>>> test from 192.168.1.103 port 3530 ssh2
>>>> Nov 26 22:14:41 flagg sshd(pam_unix)[13368]: session opened for user 
>>>> test by (uid=0)
>>>> Nov 26 22:14:41 flagg sshd[13368]: subsystem request for sftp
>>>> Nov 27 03:14:41 flagg scponly[12982]: running: /usr/lib/misc/sftp-server 
>>>> (username: test(1003), IP/port: 192.168.1.103 3530 7777)
>>>> Nov 26 22:14:41 flagg sshd(pam_unix)[13368]: session closed for user test
>>>>
>>>> Any ideas?
>>>>
>>>> Also, can the logging for scponly be configured to use local time rather 
>>>> than GMT?
>>>>
>>>> Thanks!
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> scponly mailing list
>>>> scponly at lists.ccs.neu.edu
>>>> https://lists.ccs.neu.edu/bin/listinfo/scponly
>>>>     
>>>>         
>>>   
>>>       
>> _______________________________________________
>> scponly mailing list
>> scponly at lists.ccs.neu.edu
>> https://lists.ccs.neu.edu/bin/listinfo/scponly
>>     
>
>
>

More information about the scponly mailing list