[scponly] Really struggling with Fedora Core 6

Kaleb Pederson kaleb.pederson at gmail.com
Thu Nov 15 00:38:33 EST 2007 

On Wednesday 14 November 2007, Andy Woolley wrote:
> Hi Kaleb,
>
> Thanks for helping me with this.
>
> Right, here's the situation: I used to use scponly version 4.0 and this
> allowed me to create a jail where users could connect and navigate to via a
> shell and SFTP and this was very easy to setup - but something has changed
> in the latest version.

There are quite a few changes, but none of the other versions should ever have 
let anybody use ssh directly.  Can you provide more details?  What could 
somebody do before?  What would they see when they logged in?  What did the 
debug logs look like for scponly-4.0?

Perhaps the main difference is that 4.0 enabled scp access by default, whereas 
in the newest versions it's disabled by default.  That's probably one of the 
first thingns that I would try.

I would try something like the following:

./configure --enable-chrooted-binary --with-sftp-server=/path/to/chroot --enable-scp-compat --enable-winscp-compat

> No biggie though as the main facility we require is for users to login to
> their own jail and upload/download files via SFTP using a client such as
> WS_FTP Pro etc.

Right now, scponly is running the sftp-server on your system, so the problem 
is in the way that sftp is configured within the chroot, not with scponly.

In your first e-mail, you posted the following:

> [root at baba scponly-4.6]# grep "^exec" sftp.log*
> sftp.log.8574:execve("/usr/local/sbin/scponlyc", ["scponlyc"..., "-c"...,
> "/usr/libexec/openssh/sftp-server"], [/* 9 vars */]) = 0
> sftp.log.8574:execve("/usr/libexec/openssh/sftp-server",
> ["/usr/libexec/openssh/sftp-server"], [/* 0 vars */]) = 0

But, in the set you provided, the sftp-server portion of the log is missing:

$ grep execv sftp.log.*
sftp.log.12685:execve("/usr/local/sbin/scponlyc", ["-scponlyc"...], [/* 11 
vars */]) = 0

It's the piece that contains the execve for sftp-server that we need to look 
at.

> Please see attached error log showing good authentication but dropping the
> connection. This can be seen on lines 16 and 17 of the attached file.

It basically says the same thing as the other logs, the sftp server is being 
executed but not working correctly.

> So,in summary if I can just get scponly to allow SFTP connections this
> would be great., would be nice to have shell access but will understand if
> this is not going to be possible like it was before.

I think the shell access you're thinking about is the scp compatibility that's 
currently disabled by default.

--Kaleb

More information about the scponly mailing list