[scponly] Need help with chrooted scponly 4.6 on centos 5
Kaleb Pederson
kibab at icehouse.net
Wed Sep 12 23:11:58 EDT 2007
On Wednesday 12 September 2007, Security Team wrote:
> In /etc/ssh/sshd_config I have:
>
> Subsystem sftp /usr/local/sbin/scponlyc
You don't want this, this should be left at the default for your distro,
whatever that was.
This is a different way of having the ssh server invoke a specific command,
instead of the sftp-server.
> And finally, I built scponly with these options (here is my build script):
> --------
> tar xvfz scponly-4.6.tgz
> cd scponly-4.6
>
> ./configure -enable-chrooted-binary --enable-sftp-logging-compat
> --enable-rsync-compat \
> --enable-scp-compat --enable-quota-compat --disable-chroot-checkdir
Unless you have the sftp-logging patch... you don't want this. You still get
logging, but not of the sftp-logging patch type.
> Sep 12 08:32:57 teton1 scponly[18677]: 3 arguments in total.
> Sep 12 08:32:57 teton1 scponly[18677]: arg 0 is scponlyc
> Sep 12 08:32:57 teton1 scponly[18677]: arg 1 is -c
> Sep 12 08:32:57 teton1 scponly[18677]: arg 2 is /usr/local/sbin/scponlyc
arg 2 comes from the subsystem command that you specified... which is why
scponly is rejecting it.
If everything else in the chroot is ok, then it should work after you make
those changes.
--Kaleb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20070912/79dfca2c/attachment.bin
More information about the scponly
mailing list