[scponly] Need help with chrooted scponly 4.6 on centos 5

Thu Sep 13 18:38:04 EDT 2007

On 9/12/07 9:11 PM, "Kaleb Pederson" <kibab at icehouse.net> wrote:

> On Wednesday 12 September 2007, Security Team wrote:
>> In /etc/ssh/sshd_config I have:
>> 
>> Subsystem       sftp    /usr/local/sbin/scponlyc
> 
> You don't want this, this should be left at the default for your distro,
> whatever that was.
> 
> This is a different way of having the ssh server invoke a specific command,
> instead of the sftp-server.
> 
>> And finally, I built scponly with these options (here is my build script):
>> --------
>> tar xvfz scponly-4.6.tgz
>> cd scponly-4.6
>> 
>> ./configure -enable-chrooted-binary --enable-sftp-logging-compat
>> --enable-rsync-compat \
>>         --enable-scp-compat --enable-quota-compat --disable-chroot-checkdir
> 
> Unless you have the sftp-logging patch... you don't want this.  You still get
> logging, but not of the sftp-logging patch type.
> 
>> Sep 12 08:32:57 teton1 scponly[18677]: 3 arguments in total.
>> Sep 12 08:32:57 teton1 scponly[18677]:  arg 0 is scponlyc
>> Sep 12 08:32:57 teton1 scponly[18677]:  arg 1 is -c
>> Sep 12 08:32:57 teton1 scponly[18677]:  arg 2 is /usr/local/sbin/scponlyc
> 
> arg 2 comes from the subsystem command that you specified... which is why
> scponly is rejecting it.
> 
> If everything else in the chroot is ok, then it should work after you make
> those changes.
> 
> --Kaleb

Hello Kaleb:

After taking that Subsystem line out, I get this when an SFTP client tries
to connect:

Sep 13 16:34:42 teton1 scponly[28554]: chrooting to dir: "/home/userguy"
Sep 13 16:34:42 teton1 scponly[28554]: chdiring to dir: "/"
Sep 13 22:34:42 teton1 scponly[28554]: setting uid to 816
Sep 13 22:34:42 teton1 scponly[28554]: processing request:
"/usr/libexec/openssh/sftp-server"
Sep 13 22:34:42 teton1 scponly[28554]: Unable to find "LOG_SFTP" in the
environment
Sep 13 22:34:42 teton1 scponly[28554]: Found "USER" and setting it to "
userguy"
Sep 13 22:34:42 teton1 scponly[28554]: Unable to find "SFTP_UMASK" in the
environment
Sep 13 22:34:42 teton1 scponly[28554]: Unable to find "SFTP_PERMIT_CHMOD" in
the environment
Sep 13 22:34:42 teton1 scponly[28554]: Unable to find "SFTP_PERMIT_CHOWN" in
the environment
Sep 13 22:34:42 teton1 scponly[28554]: Unable to find "SFTP_LOG_LEVEL" in
the environment
Sep 13 22:34:42 teton1 scponly[28554]: Unable to find "SFTP_LOG_FACILITY" in
the environment
Sep 13 22:34:42 teton1 scponly[28554]: Environment contains "USER= userguy"
Sep 13 22:34:42 teton1 scponly[28554]: running:
/usr/libexec/openssh/sftp-server (username: userguy(816), IP/port:
192.168.0.3 49268 22)
Sep 13 16:34:45 teton1 sshd[28551]: pam_unix(sshd:session): session closed
for user userguy

In that 4th line above, it sure seems like it wants to talk to something in
scponly because it is called sftp-server now and getting lots of unable to
find messages.

Did I misunderstand your instructions?  I just changed the sshd_config file
to be:

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server
#Subsystem      sftp    /usr/local/sbin/scponlyc

And restarted sshd

Regards,
Chris