[scponly] scponly doesn't work after upgrade to lenny : SOLVED

Sun Oct 11 17:05:41 EDT 2009

Hi,

Kaleb Pederson wrote:
> On Thursday 19 March 2009 03:43:46 pm Flo wrote:

After more than half year later I had to come back to this problem,
since it had to be solved.

You don't have to recall the error message which I posted on this list
to understand this fairly simple problem:

I have built this scponlyc account 4 years ago using the deb package 
scponly.
And it worked immediately. The problem was that the programs in this
chroot environment hadn't been updated. So, at some point, the software
was too old to interact with current versions of scp etc. And a major
upgrade is logical point of time for that.

So, copying the current versions of the programs into the chroot
environment made scp working.

But I still had problems with the sftp subsystem. Again I spent hours on
that and I still haven't found the error but research on the web gave me
a hint how to avoid this:

I replaced in /etc/ssh/sshd_config

Subsystem sftp /usr/lib/openssh/sftp-server

with

Subsystem sftp internal-sftp

and now it's working.

I understand that this feature of ssh was introduced to avoid the sftp
chroot problems.

> 
>> I will file a bug report.
>> 

I haven't done this and I don't think there is enough reason to do so.

I see a structural problem that the programs at the chroot environment
aren't updated automatically. But I don't think this can be solved
within the package manager.

My solution to this problem is that I wrote a tiny script and put it
into /etc/cron.weekly:

vvvvvvvvvvvvvvvvvvvvvvvv

#!/bin/sh

for a in `grep scponlyc /etc/passwd | cut -d : -f 6`
do
         cd $a
         find bin -type f -exec cp -p /'{}' '{}' ';'
         find usr -type f -exec cp -p /'{}' '{}' ';'
         find lib -type f -exec cp -p /'{}' '{}' ';'
done

^^^^^^^^^^^^^^^^^^^^^^^^

It basically finds out what users are working with scponlyc and for
each of these users all programs at the chroot environment are
overwritten with the current version.

Maybe something like this could find a way into the scponly package!?!

>>> 
>>> I'm not sure what the problem is, but we recommend that you
>>> rebuild the latest CVS or stable release of scponly from the
>>> source.  Chris provided a configure line that can be used to
>>> match the configuration of the .deb installed scponly.
>>> 
>> I built it from source as well, but it didn't work at the first
>> try.
> 
> Unfortunately, the setup_chroot script isn't perfect, so you'll often
> need to add a /dev/null to the chroot manually.  I'd recommend
> Jailkit if you need something more robust.
> 

This time I only used the Debian packages, I haven't compiled anything.

And I found out that the squeeze version of the package already creates 
the /dev/null. But not at lenny, yet.

Any comments?

Florian.