[scponly] logging control

Christopher Barry christopher.barry at qlogic.com
Wed Apr 1 18:30:13 EDT 2009 

> -----Original Message-----
> From: Kaleb Pederson [mailto:kaleb.pederson at gmail.com]
> Sent: Wednesday, April 01, 2009 12:59 PM
> To: Christopher Barry
> Cc: scponly at lists.ccs.neu.edu
> Subject: Re: [scponly] logging control
> 
> On Wed, Apr 1, 2009 at 9:00 AM, Christopher Barry
> <christopher.barry at qlogic.com> wrote:
> 
> [...snip...]
> > Anyone have a chance to chew on this? Are there some docs/posts I've
> missed that I should read first?
> 
> My response yesterday should reference enough documentation that you
> can figure this out.

Man you overestimate me ;)

man sftp-server describes the two options, which I have tried.

> I created a suite of shell scripts for user, group, and chroot
> management at a company I worked for about five years ago.  Overall,
> it worked great and they're still using them.  I hope you end up with
> something generically useful.
> 
> Thanks.
> 
> --Kaleb

Basically my approach too - hopefully it does work out.

Here's what's happening now:

I had tried the -l and -f options before in the subsystem, and it would not work with scponly. That's why I thought I needed the env vars set to something. If I set -l and -f, I can sftp normally as root no problem, and I see the enhanced logging. When I then try to connect as an sftp user, I get the error below.

Apr  1 17:58:27 <removed> sshd[6489]: Accepted publickey for se from 10.32.8.200 port 60160 ssh2
Apr  1 17:58:27 <removed> sshd[6491]: pam_unix(sshd:session): session opened for user se by (uid=0)
Apr  1 17:58:27 <removed> sshd[6491]: subsystem request for sftp
Apr  1 17:58:27 <removed> scponly[6492]: chrooted binary in place, will chroot()
Apr  1 17:58:27 <removed> scponly[6492]: 3 arguments in total.
Apr  1 17:58:27 <removed> scponly[6492]: ^Iarg 0 is scponlyc
Apr  1 17:58:27 <removed> scponly[6492]: ^Iarg 1 is -c
Apr  1 17:58:27 <removed> scponly[6492]: ^Iarg 2 is /usr/lib/openssh/sftp-server -l INFO -f AUTH
Apr  1 17:58:27 <removed> scponly[6492]: opened log at LOG_AUTHPRIV, opts 0x00000029
Apr  1 17:58:27 <removed> scponly[6492]: retrieved home directory of "/var/sftp/chroot_partners/se//home/se" for user "se"
Apr  1 17:58:27 <removed> scponly[6492]: chrooting to dir: "/var/sftp/chroot_partners/se"
Apr  1 17:58:27 <removed> scponly[6492]: chdiring to dir: "/home/se"
Apr  1 17:58:27 <removed> scponly[6492]: chdiring to dir: "/home/se"
Apr  1 17:58:27 <removed> scponly[6492]: setting uid to 10000
Apr  1 17:58:27 <removed> scponly[6492]: processing request: "/usr/lib/openssh/sftp-server -l INFO -f AUTH"
Apr  1 17:58:27 <removed> scponly[6492]: denied request: /usr/lib/openssh/sftp-server -l INFO -f AUTH (resolved to: /usr/lib/sftp-server -l INFO -f A
UTH) [username: se(10000), IP/port: 10.32.8.200 60160 22]
Apr  1 17:58:27 <removed> sshd[6491]: pam_unix(sshd:session): session closed for user se


I'm running ssh4.7 in Ubuntu 8.10. /usr/lib/openssh/sftp-server is the binary, and is a symlink to it. Is there a transition as it chroots, and the paths may be incorrect?

[UPDATE] I investigated this before sending this email. I created a /usr/lib/openssh dir in the chroot, and copied sftp-server there. Same issue (denied request). Everything works fine for scponly if I remove the -l and -f options from sshd_config. 'who' is denying the request here? sshd, sftp-server or scponly?

Any ideas?

Thanks,

-C

More information about the scponly mailing list