[scponly] sftp not working, but scp does

Brian Davis bridavis at comcast.net
Wed Nov 29 10:15:41 EST 2006 

Wally, you're the man!  My password file existed, but was blank! After 
adding in my user's information, it's working.

Thanks Paul and Wally!

Strzelec, Wally wrote:
> Is the userid that you are trying to use in the chrooted passwd file?  I
> use NIS to authenticate and have run into this in to past.  I seem to
> remember that if the userid was not in the chrooted passwd file, sftp
> would work but scp would not.
>
> -Wally
>
> -----Original Message-----
> From: scponly-bounces at lists.ccs.neu.edu
> [mailto:scponly-bounces at lists.ccs.neu.edu] On Behalf Of Brian Davis
> Sent: Tuesday, November 28, 2006 10:21 PM
> To: Paul Hyder
> Cc: scponly at lists.ccs.neu.edu
> Subject: Re: [scponly] sftp not working, but scp does
>
> Hi Paul & list,
>
> Permissions look OK to me:
>
> -rwxr-xr-x 1 root root 54824 Nov 28 20:09 sftp-server
>
> All the needed libs are in the chroot:
>
> flagg ~ # ldd /raid/chroot/www/test/usr/lib/misc/sftp-server
>         libresolv.so.2 => /lib/libresolv.so.2 (0x54460000)
>         libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x54416000)
>         libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x5428e000)
>         libdl.so.2 => /lib/libdl.so.2 (0x5428a000)
>         libutil.so.1 => /lib/libutil.so.1 (0x54286000)
>         libz.so.1 => /lib/libz.so.1 (0x5426f000)
>         libnsl.so.1 => /lib/libnsl.so.1 (0x54259000)
>         libcrypt.so.1 => /lib/libcrypt.so.1 (0x5422b000)
>         libc.so.6 => /lib/libc.so.6 (0x5410b000)
>         /lib/ld-linux.so.2 (0x54476000)
>
> /raid/chroot/www/test/lib:
> total 1668
> -rwxr-xr-x 1 root root   92164 Nov 28 20:09 ld-linux.so.2
> -rwxr-xr-x 1 root root 1164276 Nov 28 20:09 libc.so.6
> -rwxr-xr-x 1 root root   21876 Nov 28 20:09 libcrypt.so.1
> -rwxr-xr-x 1 root root    9588 Nov 28 20:09 libdl.so.2
> -rwxr-xr-x 1 root root   76444 Nov 28 20:09 libnsl.so.1
> -rwxr-xr-x 1 root root   30328 Nov 28 20:09 libnss_compat-2.3.6.so
> -rwxr-xr-x 1 root root   30328 Nov 28 20:09 libnss_compat.so.2
> -rwxr-xr-x 1 root root   63644 Nov 28 20:09 libpthread.so.0
> -rwxr-xr-x 1 root root   63104 Nov 28 20:09 libresolv.so.2
> -rwxr-xr-x 1 root root   30536 Nov 28 20:09 librt.so.1
> -rwxr-xr-x 1 root root    9588 Nov 28 20:09 libutil.so.1
> -rwxr-xr-x 1 root root   87368 Nov 28 20:09 libz.so.1
>
> /raid/chroot/www/test/usr/lib:
> total 1880
> drwxr-xr-x 3 root root      30 Nov 28 20:08 binutils
> -rwxr-xr-x 1 root root 1587288 Nov 28 20:09 libcrypto.so.0.9.8
> -rwxr-xr-x 1 root root   34144 Nov 28 20:09 libpopt.so.0
> -rwxr-xr-x 1 root root  297420 Nov 28 20:09 libssl.so.0.9.8
> drwxr-xr-x 2 root root      24 Nov 28 20:09 misc
>
> OS is up-to-date Gentoo hardened stable:
> flagg scponly # uname -a
> Linux flagg 2.6.16-hardened-r11 #3 SMP Tue Nov 28 14:00:57 EST 2006 i686
>
> Celeron (Mendocino) GenuineIntel GNU/Linux
>
> configure options were:
>                 --enable-scp-compat \
>                 --enable-winscp-compat \
>                 --enable-rsync-compat \
>                 --enable-chrooted-binary \
>
> At this point, I'm not which step to take next. Any (more) ideas would 
> be appreciated.
>
> Thanks,
> Brian
>
> Paul Hyder wrote:
>   
>> This appears to be an incomplete jail configuration.  Generally means
>>     
> there
>   
>> is a library that needs to be added for the sftp-server.
>>
>> 1.  Verify the sftp-server permissions
>>     
> (/raid/chroot/www/test/usr/lib/misc/sftp-server)
>   
>> 2.  Run ldd on the sftp-server binary and make sure all of the listed
>>     
> libraries
>   
>>     are installed in the correct location for the jail.  If they are
>>     
> all present
>   
>>     run ldd on the libraries and make sure they don't need a missing
>>     
> library.
>   
>> Server OS and configure options?
>>     Paul Hyder
>>
>> Brian Davis wrote:
>>   
>>     
>>> Here is the detailed debug, for scponly and sshd.  Looks like I still
>>>       
>
>   
>>> need to turn on more debugging somewhere.  As a point of reference,
>>>       
> SFTP 
>   
>>> does work for non scponly users.
>>>
>>> Nov 28 14:30:29 flagg sshd[3510]: debug1: subsystem: exec() 
>>> /usr/lib/misc/sftp-server
>>> Nov 28 14:30:29 flagg scponly[3511]: chrooted binary in place, will
>>>       
> chroot()
>   
>>> Nov 28 14:30:29 flagg scponly[3511]: 3 arguments in total.
>>> Nov 28 14:30:29 flagg scponly[3511]:    arg 0 is scponlyc
>>> Nov 28 14:30:29 flagg scponly[3511]:    arg 1 is -c
>>> Nov 28 14:30:29 flagg scponly[3511]:    arg 2 is
>>>       
> /usr/lib/misc/sftp-server
>   
>>> Nov 28 14:30:29 flagg scponly[3511]: opened log at LOG_AUTHPRIV, opts
>>>       
>
>   
>>> 0x00000009
>>> Nov 28 14:30:29 flagg scponly[3511]: retrieved home directory of 
>>> "/raid/chroot/www/test//incoming" for user "test"
>>> Nov 28 14:30:29 flagg scponly[3511]: chrooting to dir: 
>>> "/raid/chroot/www/test"
>>> Nov 28 14:30:29 flagg scponly[3511]: chdiring to dir: "/incoming"
>>> Nov 28 19:30:29 flagg scponly[3511]: setting uid to 1003
>>> Nov 28 19:30:29 flagg scponly[3511]: processing request: 
>>> "/usr/lib/misc/sftp-server"
>>> Nov 28 19:30:29 flagg scponly[3511]: running:
>>>       
> /usr/lib/misc/sftp-server 
>   
>>> (username: test(1003), IP/port: 16.4.18.22 3059 8364)
>>> Nov 28 14:30:29 flagg sshd[3510]: debug1: Received SIGCHLD.
>>> Nov 28 14:30:29 flagg sshd[3510]: debug1: session_by_pid: pid 3511
>>> Nov 28 14:30:29 flagg sshd[3510]: debug1: session_exit_message:
>>>       
> session 
>   
>>> 0 channel 0 pid 3511
>>> Nov 28 14:30:29 flagg sshd[3510]: debug1: session_exit_message:
>>>       
> release 
>   
>>> channel 0
>>> Nov 28 14:30:29 flagg sshd[3510]: debug1: session_by_channel: session
>>>       
> 0 
>   
>>> channel 0
>>> Nov 28 14:30:29 flagg sshd[3510]: debug1: session_close_by_channel: 
>>> channel 0 child 0
>>> Nov 28 14:30:29 flagg sshd[3510]: debug1: session_close: session 0
>>>       
> pid 0
>   
>>> Nov 28 14:30:29 flagg sshd[3510]: debug1: channel 0: free: 
>>> server-session, nchannels 1
>>> Nov 28 14:30:29 flagg sshd[3510]: Connection closed by 16.4.18.22
>>> Nov 28 14:30:29 flagg sshd[3510]: debug1: do_cleanup
>>> Nov 28 14:30:29 flagg sshd[3510]: debug1: PAM: cleanup
>>> Nov 28 14:30:29 flagg sshd(pam_unix)[3510]: session closed for user
>>>       
> test
>   
>>> Nov 28 14:30:29 flagg sshd[3510]: Closing connection to 16.4.18.22
>>> Nov 28 14:30:29 flagg sshd[3510]: debug1: PAM: cleanup
>>>
>>> Thanks,
>>> Brian
>>>
>>>
>>> Paul Hyder wrote:
>>>     
>>>       
>>>> Sounds like the selected sftp server exits.
>>>>
>>>> Have you tried setting the debuglevel to 1?  (default install puts
>>>>         
> this
>   
>>>> file in /usr/local/etc/scponly, change it from 0 to 1)  The extended
>>>> diagnostics should be useful.
>>>>
>>>> Would also help to know what options you used with configure and the
>>>> server's operating system.
>>>>    Paul Hyder
>>>>    NOAA Earth System Research Laboratory, Global Systems Division
>>>>    Boulder, CO
>>>>
>>>>
>>>> Brian Davis wrote:
>>>>   
>>>>       
>>>>         
>>>>> Hi,
>>>>>
>>>>> I'm using WinSCP 3.8.2. The session default of "SFTP (allow SCP 
>>>>> fallback) is checked.  When WinSCP tries to connect, if gives the 
>>>>> following error and immediately disconnects:
>>>>>
>>>>> "Cannot initalize SFTP protocol. Is the host running a SFTP server?
>>>>> Connection has been unexpectedly closed. Server sent command exit
>>>>>           
> status 
>   
>>>>> 255."
>>>>>
>>>>> However, selecting SCP for the session seems to work fine.  Here is
>>>>>           
> my 
>   
>>>>> auth.log when trying sftp:
>>>>>
>>>>> Nov 26 22:14:41 flagg sshd[20279]: Accepted
>>>>>           
> keyboard-interactive/pam for 
>   
>>>>> test from 192.168.1.103 port 3530 ssh2
>>>>> Nov 26 22:14:41 flagg sshd(pam_unix)[13368]: session opened for
>>>>>           
> user 
>   
>>>>> test by (uid=0)
>>>>> Nov 26 22:14:41 flagg sshd[13368]: subsystem request for sftp
>>>>> Nov 27 03:14:41 flagg scponly[12982]: running:
>>>>>           
> /usr/lib/misc/sftp-server 
>   
>>>>> (username: test(1003), IP/port: 192.168.1.103 3530 7777)
>>>>> Nov 26 22:14:41 flagg sshd(pam_unix)[13368]: session closed for
>>>>>           
> user test
>   
>>>>> Any ideas?
>>>>>
>>>>> Also, can the logging for scponly be configured to use local time
>>>>>           
> rather 
>   
>>>>> than GMT?
>>>>>
>>>>> Thanks!
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> scponly mailing list
>>>>> scponly at lists.ccs.neu.edu
>>>>> https://lists.ccs.neu.edu/bin/listinfo/scponly
>>>>>     
>>>>>         
>>>>>           
>>>>   
>>>>       
>>>>         
>>> _______________________________________________
>>> scponly mailing list
>>> scponly at lists.ccs.neu.edu
>>> https://lists.ccs.neu.edu/bin/listinfo/scponly
>>>     
>>>       
>>   
>>     
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
>
>

More information about the scponly mailing list