[scponly] scponly doesn't work after upgrade to lenny : SOLVED

Kaleb Pederson kaleb.pederson at gmail.com
Mon Oct 12 12:17:50 EDT 2009 

On Sun, Oct 11, 2009 at 2:05 PM, Flo <debianflo at gmx.at> wrote:
> I have built this scponlyc account 4 years ago using the deb package
> scponly.
> And it worked immediately. The problem was that the programs in this
> chroot environment hadn't been updated. So, at some point, the software
> was too old to interact with current versions of scp etc. And a major
> upgrade is logical point of time for that.

Yes, the binaries copied to the chroot need to be updated whenever
either they or their dependent libraries are changed.

> So, copying the current versions of the programs into the chroot
> environment made scp working.
>
> But I still had problems with the sftp subsystem. Again I spent hours on
> that and I still haven't found the error but research on the web gave me
> a hint how to avoid this:
>
> I replaced in /etc/ssh/sshd_config
>
> Subsystem sftp /usr/lib/openssh/sftp-server
>
> with
>
> Subsystem sftp internal-sftp
>
> and now it's working.

"internal-sftp" makes sshd use a sftp server that requires no
additional libraries when working with a chroot.  I've never seen it
used independent of ChrootDirectory.  If all you need is sftp support,
then I'd recommend using ChrootDirectory and internal-sftp in
combination with ForceCommand.  If you need anything beyond that
scponly is there to help.

> I understand that this feature of ssh was introduced to avoid the sftp
> chroot problems.

Yeah, something like that.

>>
>>> I will file a bug report.
>>>
>
> I haven't done this and I don't think there is enough reason to do so.
>
> I see a structural problem that the programs at the chroot environment
> aren't updated automatically. But I don't think this can be solved
> within the package manager.

That will be completely dependent on the package manager, but yes,
it's likely not going to rebuild or change the chroot.

> My solution to this problem is that I wrote a tiny script and put it
> into /etc/cron.weekly:
>
> vvvvvvvvvvvvvvvvvvvvvvvv
>
> #!/bin/sh
>
> for a in `grep scponlyc /etc/passwd | cut -d : -f 6`
> do
>        cd $a
>        find bin -type f -exec cp -p /'{}' '{}' ';'
>        find usr -type f -exec cp -p /'{}' '{}' ';'
>        find lib -type f -exec cp -p /'{}' '{}' ';'
> done
>
> ^^^^^^^^^^^^^^^^^^^^^^^^

If possible, use a program that is intelligent enough to take a look
at the shared libraries in use by the commands and update them as
well.  If the shared libraries aren't being updated, you're still
likely to see something broken.  I have a simple script that works on
Linux (or any system that has an identical ldd output format) that
I've been using for this purpose, but there's other programs that will
do the same thing, such as Jailkit.

> It basically finds out what users are working with scponlyc and for
> each of these users all programs at the chroot environment are
> overwritten with the current version.
>
> Maybe something like this could find a way into the scponly package!?!

I don't think it fits directly, but I do believe this should be
referenced in the documentation so that other people don't need to
have the same problems and experiences you have had.

>>>>
>>>> I'm not sure what the problem is, but we recommend that you
>>>> rebuild the latest CVS or stable release of scponly from the
>>>> source.  Chris provided a configure line that can be used to
>>>> match the configuration of the .deb installed scponly.
>>>>
>>> I built it from source as well, but it didn't work at the first
>>> try.
>>
>> Unfortunately, the setup_chroot script isn't perfect, so you'll often
>> need to add a /dev/null to the chroot manually.  I'd recommend
>> Jailkit if you need something more robust.
>>
>
> This time I only used the Debian packages, I haven't compiled anything.
>
> And I found out that the squeeze version of the package already creates the
> /dev/null. But not at lenny, yet.

I don't usually follow what's happening in the various distributions,
so I'm not sure.  I try to address issues that they bring to light,
but I haven't heard of any.

Thanks.

--Kaleb

http://twitter.com/kalebpederson
http://kalebpederson.com

More information about the scponly mailing list