[scponly] Why isn't scponlyc siphoning off the path following the double slash?

Thu Nov 1 19:27:09 EDT 2007

>It may or may not be running.  Depending on how your syslog daemon 
>is configured it might just swallow output that it's not expecting 
>or hasn't been configured to deal with.  You should be able to turn 
>on debugging in the ssh server by setting the LogLevel directive 
>until you can tell whether or not it's executing scponly.

Sorry I am not being clear. I already know that scponly never gets to 
run because the sshd is acting on whole directory path, double 
slashes and all:

debug1: trying public key file 
/home/halllvd/planaria//hallweb/.ssh/authorized_keys

Since the authorized keys file is one level up, the authorization 
fails. If I remove the double slash and trailing directory, then 
rsync does indeed work and reports scponlyc as the shell.

So who's really responsible for parsing the double slash? It would 
seem for this to work, it must be ssh and therefore, OpenSSH must 
have this functionality. But does it?

>
>On 11/1/07, Maurice Volaski <<mailto:mvolaski at aecom.yu.edu> 
>mvolaski at aecom.yu.edu> wrote:
>
>  >Please turn on debugging.  Details are in the FAQ but here's the summary:
>>
>>echo 1 > $INSTALL_PREFIX/etc/scponly/debuglevel
>>
>>Once you've done that, you can grab debug output from your syslog
>>daemon which will help us figure out what's going on.
>>
>
>Sorry, I didn't mention that I had debugging on. There are no
>messages logged about this or at all for that matter when I run it
>this way from scponly. I think that makes sense. It seems that sshd
>is reading /etc/passwd and scponlyc doesn't ever get to run. So how
>could the double slash mechanism ever work unless it were a feature
>of ssh? I'm running OpenSSH 4.7_p1.
>
>>
>>On 10/31/07, Maurice Volaski
>><<mailto:<mailto:mvolaski at aecom.yu.edu> 
>>mvolaski at aecom.yu.edu><mailto:mvolaski at aecom.yu.edu>mvolaski at aecom.yu.edu> 
>>wrote:
>>
>>On a 64-bit Gentoo system, I have the following in /etc/passwd
>>
>>planaria:x:1004:1009::/home/halllvd/planaria//hallweb:/usr/sbin/scponlyc
>>
>>So /home/halllvd/planaria/ is the user's account on this system and
>>also the chroot environment and it's owned by root, not this user.
>>The .ssh directory for this user is in there, too.
>>
>>I can ssh to it given a bash shell here, and I can chroot to it, too.
>>
>>hallweb is the writable directory for this user within the chrooted
>>environment and also the home in /etc/passwd of the chrooted
>>environment.
>>
>>Without the double slash present, rsync can write files in it. But
>>with the double slash present, rsync cannot connect and I see in the
>>sshd debug
>>
>>debug1: trying public key file
>>/home/halllvd/planaria//hallweb/.ssh/authorized_keys
>>
>>So for some reason, sshd is receiving this whole path, double slashes
>>and all. Shouldn't scponlyc be siphoning off that information, so
>>sshd sees just the chrooted path, which is where the .ssh directory
>>is?
>  >--

-- 

Maurice Volaski, mvolaski at aecom.yu.edu
Computing Support, Rose F. Kennedy Center
Albert Einstein College of Medicine of Yeshiva University