[scponly] Really struggling with Fedora Core 6

Andy Woolley andy at milonic.com
Wed Nov 14 17:31:19 EST 2007 

Hi Kaleb,

Thanks for helping me with this.

Right, here's the situation: I used to use scponly version 4.0 and this 
allowed me to create a jail where users could connect and navigate to via a 
shell and SFTP and this was very easy to setup - but something has changed 
in the latest version.

No biggie though as the main facility we require is for users to login to 
their own jail and upload/download files via SFTP using a client such as 
WS_FTP Pro etc.

Please see attached error log showing good authentication but dropping the 
connection. This can be seen on lines 16 and 17 of the attached file.

So,in summary if I can just get scponly to allow SFTP connections this would 
be great., would be nice to have shell access but will understand if this is 
not going to be possible like it was before.

Cheers,
Andy



----- Original Message ----- 
From: "Kaleb Pederson" <kaleb.pederson at gmail.com>
To: "Andy Woolley" <andy at milonic.com>
Cc: <scponly at lists.ccs.neu.edu>
Sent: Wednesday, November 14, 2007 7:03 PM
Subject: Re: [scponly] Really struggling with Fedora Core 6


> Hi Andy,
>
> I took a look at the logs, but they don't contain the execv command
> for the sftp-server, so I'm not sure if they're all present.
>
> But, in looking at your post, I'm not sure I understand exactly what
> the problem is.  So you want to have SFTP and SSH working?  I
> initially interpreted that as SFTP over SSH (which is the only way it
> works).  Does SFTP work?
>
> With regards to the SSH piece, assuming you tried 'ssh user at host'
> where user has scponly as the shell, that should NOT work.  Scponly is
> intended to NOT let the user get access to a shell where they could
> run arbitrary commands.  Instead, the command to be executed must be
> specified at the time the user connects to the ssh server.
>
> Eg.
>
> ssh user at host 'cp /path/to/source/file /path/to/dest/file'
> ssh user at host 'ls /'
>
> etc.
>
> Sftp, rsync, and some other commands automatically do this without
> user intervention.
>
> Please clarify your intent.
>
> Thanks (and sorry I didn't notice the first time).
>
> --Kaleb
>
> On Nov 14, 2007 7:06 AM, Andy Woolley <andy at milonic.com> wrote:
>> Hi,
>>
>> Please see attached strace files.
>>
>> Kindest regards,
>> Andy Woolley
>> Milonic Solutions Ltd
>> http://www.milonic.com/
>>
>>
>>
>> ----- Original Message -----
>> From: "Kaleb Pederson" <kaleb.pederson at gmail.com>
>> To: "Andy Woolley" <andy at milonic.com>
>> Sent: Monday, November 12, 2007 8:36 PM
>> Subject: Re: [scponly] Really struggling with Fedora Core 6
>>
>>
>> > First, make sure you have a /dev/null node with correct permissions
>> > within the chroot.  Next, make sure that `ldconfig -r /path/to/chroot
>> > -v` is reasonable.
>> >
>> > If neither of those help, gzip and attach the strace output files.
>> >
>> > Thanks.
>> >
>> > --Kaleb
>> >
>> > On Nov 12, 2007 11:25 AM, Andy Woolley <andy at milonic.com> wrote:
>> >> Hi All,
>> >>
>> >> I've spent most of today getting scponly 4.6 to work on Fedora Core 6 
>> >> but
>> >> it
>> >> fails to allow any connections.
>> >>
>> >> I've been using scponly for years (version 4.0) and never had ANY
>> >> problems
>> >> until now but these latest versions just do not appear to work 
>> >> anymore.
>> >>
>> >> Anyway, all I want to do is create a jail for users who want to 
>> >> connect
>> >> to
>> >> our servers through SSH and SFTP.
>> >>
>> >> I've been through ALL the docs and done EVERYTHING that was suggested
>> >>
>> >> Here's some info that might help
>> >>
>> >> [root at baba scponly-4.6]# ps -Af | grep -i ruth
>> >> root      8555 32736  0 18:55 pts/0    00:00:00 grep -i ruth
>> >> [root at baba scponly-4.6]# ps -Af | grep -i ruth
>> >> root      8556  2203  1 18:55 ?        00:00:00 sshd: ruth [priv]
>> >> sshd      8557  8556  0 18:55 ?        00:00:00 sshd: ruth [net]
>> >> root      8559 32736  0 18:55 pts/0    00:00:00 grep -i ruth
>> >> [root at baba scponly-4.6]# strace -o sftp.log -f -ff -p 8556
>> >> Process 8556 attached - interrupt to quit
>> >> Process 8556 detached
>> >> [root at baba scponly-4.6]# ps -Af | grep -i ruth
>> >> root      8566  2203  1 18:58 ?        00:00:00 sshd: ruth [priv]
>> >> sshd      8567  8566  0 18:58 ?        00:00:00 sshd: ruth [net]
>> >> root      8569 32736  0 18:58 pts/0    00:00:00 grep -i ruth
>> >> [root at baba scponly-4.6]# strace -o sftp.log -f -ff -p 8566
>> >> Process 8566 attached - interrupt to quit
>> >> Process 8573 attached (waiting for parent)
>> >> Process 8573 resumed (parent 8566 ready)
>> >> Process 8574 attached (waiting for parent)
>> >> Process 8574 resumed (parent 8573 ready)
>> >> Process 8574 detached
>> >> Process 8573 detached
>> >> Process 8566 detached
>> >> [root at baba scponly-4.6]# grep "^exec" sftp.log*
>> >> sftp.log.8574:execve("/usr/local/sbin/scponlyc", ["scponlyc"..., 
>> >> "-c"...,
>> >> "/usr/libexec/openssh/sftp-server"], [/* 9 vars */]) = 0
>> >> sftp.log.8574:execve("/usr/libexec/openssh/sftp-server",
>> >> ["/usr/libexec/openssh/sftp-server"], [/* 0 vars */]) = 0
>> >>
>> >> Here is some /var/log/secure details
>> >>
>> >> [root at baba scponly-4.6]# tail -f /var/log/secure
>> >> *****This is SFTP ********
>> >> Nov 12 19:20:15 baba sshd[9078]: Accepted password for ruth from
>> >> 123.123.123.123 port 34795 ssh2
>> >> Nov 12 19:20:15 baba sshd[9078]: pam_unix(sshd:session): session 
>> >> opened
>> >> for
>> >> user ruth by (uid=0)
>> >> Nov 12 19:20:15 baba sshd[9080]: subsystem request for sftp
>> >> Nov 12 19:20:15 baba scponly[9081]: chrooted binary in place, will
>> >> chroot()
>> >> Nov 12 19:20:15 baba scponly[9081]: 3 arguments in total.
>> >> Nov 12 19:20:15 baba scponly[9081]:     arg 0 is scponlyc
>> >> Nov 12 19:20:15 baba scponly[9081]:     arg 1 is -c
>> >> Nov 12 19:20:15 baba scponly[9081]:     arg 2 is
>> >> /usr/libexec/openssh/sftp-server
>> >> Nov 12 19:20:15 baba scponly[9081]: opened log at LOG_AUTHPRIV, opts
>> >> 0x00000029
>> >> Nov 12 19:20:15 baba scponly[9081]: retrieved home directory of
>> >> "/home/ruth"
>> >> for user "ruth"
>> >> Nov 12 19:20:15 baba scponly[9081]: chrooting to dir: "/home/ruth"
>> >> Nov 12 19:20:15 baba scponly[9081]: chdiring to dir: "/"
>> >> Nov 12 19:20:15 baba scponly[9081]: setting uid to 506
>> >> Nov 12 19:20:15 baba scponly[9081]: processing request:
>> >> "/usr/libexec/openssh/sftp-server"
>> >> Nov 12 19:20:15 baba scponly[9081]: running:
>> >> /usr/libexec/openssh/sftp-server (username: ruth(506), IP/port:
>> >> 123.123.123.123 34795 22)
>> >> Nov 12 19:20:15 baba sshd[9078]: pam_unix(sshd:session): session 
>> >> closed
>> >> for
>> >> user ruth
>> >> *****This is SSH ********
>> >> Nov 12 19:20:26 baba sshd[9082]: Accepted password for ruth from
>> >> 123.123.123.123 port 34797 ssh2
>> >> Nov 12 19:20:26 baba sshd[9082]: pam_unix(sshd:session): session 
>> >> opened
>> >> for
>> >> user ruth by (uid=0)
>> >> Nov 12 19:20:26 baba scponly[9085]: 1 arguments in total.
>> >> Nov 12 19:20:26 baba scponly[9085]:     arg 0 is -scponlyc
>> >> Nov 12 19:20:26 baba scponly[9085]: opened log at LOG_AUTHPRIV, opts
>> >> 0x00000029
>> >> Nov 12 19:20:26 baba scponly[9085]: incorrect number of args
>> >> Nov 12 19:20:27 baba sshd[9082]: pam_unix(sshd:session): session 
>> >> closed
>> >> for
>> >> user ruth
>> >>
>> >> As you can see it tries to login but just disconnects straight away,
>> >> can't
>> >> find anything useful in the logs and would really appreciate some help
>> >>
>> >> Cheers,
>> >> Andy
>> >>
>> >>
>> >> _______________________________________________
>> >> scponly mailing list
>> >> scponly at lists.ccs.neu.edu
>> >> https://lists.ccs.neu.edu/bin/listinfo/scponly
>> >>
>> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sftp.error
Type: application/octet-stream
Size: 1191 bytes
Desc: not available
Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20071114/b342edcb/attachment.obj

More information about the scponly mailing list