[scponly] Really struggling with Fedora Core 6

Kaleb Pederson kaleb.pederson at gmail.com
Wed Nov 14 14:03:48 EST 2007 

Hi Andy,

I took a look at the logs, but they don't contain the execv command
for the sftp-server, so I'm not sure if they're all present.

But, in looking at your post, I'm not sure I understand exactly what
the problem is.  So you want to have SFTP and SSH working?  I
initially interpreted that as SFTP over SSH (which is the only way it
works).  Does SFTP work?

With regards to the SSH piece, assuming you tried 'ssh user at host'
where user has scponly as the shell, that should NOT work.  Scponly is
intended to NOT let the user get access to a shell where they could
run arbitrary commands.  Instead, the command to be executed must be
specified at the time the user connects to the ssh server.

Eg.

ssh user at host 'cp /path/to/source/file /path/to/dest/file'
ssh user at host 'ls /'

etc.

Sftp, rsync, and some other commands automatically do this without
user intervention.

Please clarify your intent.

Thanks (and sorry I didn't notice the first time).

--Kaleb

On Nov 14, 2007 7:06 AM, Andy Woolley <andy at milonic.com> wrote:
> Hi,
>
> Please see attached strace files.
>
> Kindest regards,
> Andy Woolley
> Milonic Solutions Ltd
> http://www.milonic.com/
>
>
>
> ----- Original Message -----
> From: "Kaleb Pederson" <kaleb.pederson at gmail.com>
> To: "Andy Woolley" <andy at milonic.com>
> Sent: Monday, November 12, 2007 8:36 PM
> Subject: Re: [scponly] Really struggling with Fedora Core 6
>
>
> > First, make sure you have a /dev/null node with correct permissions
> > within the chroot.  Next, make sure that `ldconfig -r /path/to/chroot
> > -v` is reasonable.
> >
> > If neither of those help, gzip and attach the strace output files.
> >
> > Thanks.
> >
> > --Kaleb
> >
> > On Nov 12, 2007 11:25 AM, Andy Woolley <andy at milonic.com> wrote:
> >> Hi All,
> >>
> >> I've spent most of today getting scponly 4.6 to work on Fedora Core 6 but
> >> it
> >> fails to allow any connections.
> >>
> >> I've been using scponly for years (version 4.0) and never had ANY
> >> problems
> >> until now but these latest versions just do not appear to work anymore.
> >>
> >> Anyway, all I want to do is create a jail for users who want to connect
> >> to
> >> our servers through SSH and SFTP.
> >>
> >> I've been through ALL the docs and done EVERYTHING that was suggested
> >>
> >> Here's some info that might help
> >>
> >> [root at baba scponly-4.6]# ps -Af | grep -i ruth
> >> root      8555 32736  0 18:55 pts/0    00:00:00 grep -i ruth
> >> [root at baba scponly-4.6]# ps -Af | grep -i ruth
> >> root      8556  2203  1 18:55 ?        00:00:00 sshd: ruth [priv]
> >> sshd      8557  8556  0 18:55 ?        00:00:00 sshd: ruth [net]
> >> root      8559 32736  0 18:55 pts/0    00:00:00 grep -i ruth
> >> [root at baba scponly-4.6]# strace -o sftp.log -f -ff -p 8556
> >> Process 8556 attached - interrupt to quit
> >> Process 8556 detached
> >> [root at baba scponly-4.6]# ps -Af | grep -i ruth
> >> root      8566  2203  1 18:58 ?        00:00:00 sshd: ruth [priv]
> >> sshd      8567  8566  0 18:58 ?        00:00:00 sshd: ruth [net]
> >> root      8569 32736  0 18:58 pts/0    00:00:00 grep -i ruth
> >> [root at baba scponly-4.6]# strace -o sftp.log -f -ff -p 8566
> >> Process 8566 attached - interrupt to quit
> >> Process 8573 attached (waiting for parent)
> >> Process 8573 resumed (parent 8566 ready)
> >> Process 8574 attached (waiting for parent)
> >> Process 8574 resumed (parent 8573 ready)
> >> Process 8574 detached
> >> Process 8573 detached
> >> Process 8566 detached
> >> [root at baba scponly-4.6]# grep "^exec" sftp.log*
> >> sftp.log.8574:execve("/usr/local/sbin/scponlyc", ["scponlyc"..., "-c"...,
> >> "/usr/libexec/openssh/sftp-server"], [/* 9 vars */]) = 0
> >> sftp.log.8574:execve("/usr/libexec/openssh/sftp-server",
> >> ["/usr/libexec/openssh/sftp-server"], [/* 0 vars */]) = 0
> >>
> >> Here is some /var/log/secure details
> >>
> >> [root at baba scponly-4.6]# tail -f /var/log/secure
> >> *****This is SFTP ********
> >> Nov 12 19:20:15 baba sshd[9078]: Accepted password for ruth from
> >> 123.123.123.123 port 34795 ssh2
> >> Nov 12 19:20:15 baba sshd[9078]: pam_unix(sshd:session): session opened
> >> for
> >> user ruth by (uid=0)
> >> Nov 12 19:20:15 baba sshd[9080]: subsystem request for sftp
> >> Nov 12 19:20:15 baba scponly[9081]: chrooted binary in place, will
> >> chroot()
> >> Nov 12 19:20:15 baba scponly[9081]: 3 arguments in total.
> >> Nov 12 19:20:15 baba scponly[9081]:     arg 0 is scponlyc
> >> Nov 12 19:20:15 baba scponly[9081]:     arg 1 is -c
> >> Nov 12 19:20:15 baba scponly[9081]:     arg 2 is
> >> /usr/libexec/openssh/sftp-server
> >> Nov 12 19:20:15 baba scponly[9081]: opened log at LOG_AUTHPRIV, opts
> >> 0x00000029
> >> Nov 12 19:20:15 baba scponly[9081]: retrieved home directory of
> >> "/home/ruth"
> >> for user "ruth"
> >> Nov 12 19:20:15 baba scponly[9081]: chrooting to dir: "/home/ruth"
> >> Nov 12 19:20:15 baba scponly[9081]: chdiring to dir: "/"
> >> Nov 12 19:20:15 baba scponly[9081]: setting uid to 506
> >> Nov 12 19:20:15 baba scponly[9081]: processing request:
> >> "/usr/libexec/openssh/sftp-server"
> >> Nov 12 19:20:15 baba scponly[9081]: running:
> >> /usr/libexec/openssh/sftp-server (username: ruth(506), IP/port:
> >> 123.123.123.123 34795 22)
> >> Nov 12 19:20:15 baba sshd[9078]: pam_unix(sshd:session): session closed
> >> for
> >> user ruth
> >> *****This is SSH ********
> >> Nov 12 19:20:26 baba sshd[9082]: Accepted password for ruth from
> >> 123.123.123.123 port 34797 ssh2
> >> Nov 12 19:20:26 baba sshd[9082]: pam_unix(sshd:session): session opened
> >> for
> >> user ruth by (uid=0)
> >> Nov 12 19:20:26 baba scponly[9085]: 1 arguments in total.
> >> Nov 12 19:20:26 baba scponly[9085]:     arg 0 is -scponlyc
> >> Nov 12 19:20:26 baba scponly[9085]: opened log at LOG_AUTHPRIV, opts
> >> 0x00000029
> >> Nov 12 19:20:26 baba scponly[9085]: incorrect number of args
> >> Nov 12 19:20:27 baba sshd[9082]: pam_unix(sshd:session): session closed
> >> for
> >> user ruth
> >>
> >> As you can see it tries to login but just disconnects straight away,
> >> can't
> >> find anything useful in the logs and would really appreciate some help
> >>
> >> Cheers,
> >> Andy
> >>
> >>
> >> _______________________________________________
> >> scponly mailing list
> >> scponly at lists.ccs.neu.edu
> >> https://lists.ccs.neu.edu/bin/listinfo/scponly
> >>
>

More information about the scponly mailing list