[scponly] Need help with chrooted scponly 4.6 on centos 5

Security Team security at peakpeak.com
Sat Sep 15 13:33:05 EDT 2007 



On 9/15/07 10:47 AM, "Kaleb Pederson" <kibab at icehouse.net> wrote:

> On Saturday 15 September 2007, you wrote:
>> Sep 15 16:03:49 teton1 scponly[10583]: running:
>> /usr/libexec/openssh/sftp-server (username: userguy(816), IP/port:
>> 192.168.0.3 52585 22)
> 
> This is correct.  This means that scponly is configured correctly and the
> chroot, or something in the chroot, is the problem.  There is a FAQ that
> talks a little bit about debugging this.

Hi Kaleb:

Yes, found it. Also applied the sftp logging patch rebuilding openssh from
source (yuck). And rebuilding scponly with sftp logging.

I'm not sure sftp-server is emitting any log messages yet, but when I
restart ssh it no longer gags on the sshd_config file with the sftp-logging
directives in it, so I'm making progress on that as a separate issue.

> 
> http://sublimation.org/scponly/wiki/index.php/FAQ#I_still_can.27t_find_my_prob
> lem.2C_what_else_can_I_try.3F
> 
> Before you try that, you might try the following:
> 
> If your version of ldconfig supports '-r root', then you might verify that all
> the necessary libraries are indeed present:
> 
> ldconfig -r /home/userguy -v
> 
> If there are a bunch of references to not found libraries, then that's a
> problem.

This is the only scary message:

# ldconfig -r /home/userguy -v
ldconfig: Can't stat /usr/ofed/lib: No such file or directory

> 
> Also, you might try copying /bin/sh into the chroot temporarily, and making
> sure that you can chroot to the directory manually, and then run sftp-server
> as the person that you are trying to connect as.

Unclear on this part, but I'm re-reading this sentence a couple times to
figure out what to try.


> Lastly, make sure permissions on /dev/null are correct.

[root at teton1 userguy]# ls -l dev/
total 0
-rw-r--r-- 1 root root 0 Sep 15 09:52 null

Not sure if this is correct or not.

> 
> If none of that works, then it's something a little more subtle with the
> chroot.  In that case, you'll probably need to follow the steps outlined in
> the FAQ above.
> 
> Good luck.
> 
> --Kaleb

I went through the FAQ and go the attached log file out of it.  Looks like
there is something useful in there, though I am not exactly sure what at
this point.

I've got to be doing something really stupid, I can hardly wait to figure
out what it is :)

Chris

-------------- next part --------------
A non-text attachment was scrubbed...
Name: sftp.log.2046.gz
Type: application/octet-stream
Size: 3404 bytes
Desc: not available
Url : https://lists.ccs.neu.edu/pipermail/scponly/attachments/20070915/815a1d8d/attachment.obj

More information about the scponly mailing list