[scponly] scponly stopped working after last Red Hat erratum

Voetelink D. voetelink at ecn.nl
Tue Dec 29 08:19:01 EST 2009 

Hi,

>> Since the last Red Hat erratum for openssh was released
>> (http://rhn.redhat.com/errata/RHBA-2009-1668.html) scponly stopped
>> working with sftp connections on RHEL5.
>> I get no messages, the connection just gets closed after succesfully
>> logging on.
> 
> I'm not sure of any reasons that an upgrade of that nature would cause it to fail.
> 
> I'd probably try to reinstall all the libraries in the chroot after the upgrade, this should ensure that if any of the supporting libraries have changed, the new dependencies will be present.  The setup_chroot script that comes with scponly might be sufficient, but if not you could use something like JailKit or the cplibdeps script (which I'll attach).  I recommend re-running it any time binaries within your chroot change.
> 
> If you're only running the sftp-server, it should be really easy to do using cplibdeps:
> 
> cplibdeps /path/to/chroot /path/to/sftp-server
> 
> If you have a lot of binaries, then you need to append the paths to the other binaries to the command above (or re-run it for each command).

I've also tried using the non-chroot shell (for testing purpose), but 
the same thing happened.

> Also, have you tried the debugging information available on the FAQ?
> 
> http://sublimation.org/scponly/wiki/index.php/FAQ

Yes I have, and now it seems like the debugging itself is part of the 
problem. It seems I still had debuglevel set to 2 from a previous test.

If I set debuglevel to 0 or 1 everything seems to work okay. If I set it 
to a higher value it stops working.

I did strace and found that it seems to fail while writing a line to the 
(sys)log. (see attached strace dumpfiles, the debug# in the filename is 
the debuglevel configured in the /etc/scp/debuglevel file...).

Syslog seems to work fine.
Also I'm at a loss why it started getting problems after the upgrade of 
the openssh package. (which I can still reproduce by downgrading and 
upgrading the openssh-packages).

I hope someone can help me fix this, although setting the debuglevel to 
0 or 1 seems to solve it for now.


Dennis

-- 
************************************************************************

   D. Voetelink
   UNIX Systems Administrator

   Energy research Centre of the Netherlands (ECN)
   Facilities Department - Automation Services

   Petten, Netherlands

   e-mail : voetelink at ecn.nl
   phone  : (+31) 224 564738

************************************************************************


*********************************************************************
  This message may contain information that is not intended for you.
  If so, you are requested to immediately inform the sender and
  delete the message. This e-mail is not intended to create a
  legally binding commitment and ECN accepts no liability for damage
  of any kind resulting from the risks inherent to the electronic
  transmission of messages.

  ECN, Dutch CoC number: 41151233
*********************************************************************
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: sftp.debug1.txt
Url: http://lists.ccs.neu.edu/pipermail/scponly/attachments/20091229/5b918a9d/attachment-0002.txt 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: sftp.debug4.txt
Url: http://lists.ccs.neu.edu/pipermail/scponly/attachments/20091229/5b918a9d/attachment-0003.txt

More information about the scponly mailing list