[scponly] Troubles with scponly-4.8
Gary Autiello
gautiello at dominiondiagnostics.com
Thu Oct 28 14:17:11 EDT 2010
Hi Kaleb,
Ok I was able to do items 1, 2, and 3 except for the temp shell as I'm not
sure how to get /bin/sash or /bin/dash setup.
When I ran the ldconfig command I got the following:
[root at garytest139 usr]# ldconfig -r /apps/home/garytest -v
ldconfig: Can't stat /usr/lib: No such file or directory
/lib:
ld-linux.so.2 -> ld-linux.so.2
libnss_compat.so.2 -> libnss_compat.so.2
/lib64:
libresolv.so.2 -> libresolv.so.2
libdl.so.2 -> libdl.so.2
libsepol.so.1 -> libsepol.so.1
libselinux.so.1 -> libselinux.so.1
libcrypt.so.1 -> libcrypt.so.1
libcom_err.so.2 -> libcom_err.so.2
libpthread.so.0 -> libpthread.so.0
libcrypto.so.6 -> libcrypto.so.6
libc.so.6 -> libc.so.6
libutil.so.1 -> libutil.so.1
libnsl.so.1 -> libnsl.so.1
libkeyutils.so.1 -> libkeyutils.so.1
/usr/lib64:
libgssapi_krb5.so.2 -> libgssapi_krb5.so.2
libz.so.1 -> libz.so.1
libplds4.so -> libplds4.so
libnspr4.so -> libnspr4.so
libkrb5.so.3 -> libkrb5.so.3
libplc4.so -> libplc4.so
libnssutil3.so -> libnssutil3.so
libk5crypto.so.3 -> libk5crypto.so.3
libkrb5support.so.0 -> libkrb5support.so.0
libnss3.so -> libnss3.so
I'm assuming the fact that /usr/lib was not found, is a problem. So, I
logged onto our old server and ran the same command for a comparison:
[root at taurus home]# ldconfig -r /apps/home/13079/ -v
/lib:
libcrypt.so.1 -> libcrypt.so.1
libnss_compat.so.1 -> libnss_compat.so.1
libutil.so.1 -> libutil.so.1
libresolv.so.2 -> libresolv.so.2
libattr.so.1 -> libattr.so.1
ld-linux.so.2 -> ld-linux.so.2
libcrypto.so.4 -> libcrypto.so.4
libnss_compat.so.2 -> libnss_compat.so.2
libselinux.so.1 -> libselinux.so.1
libcom_err.so.2 -> libcom_err.so.2
libnsl.so.1 -> libnsl.so.1
libacl.so.1 -> libacl.so.1
libdl.so.2 -> libdl.so.2
/usr/lib:
libgssapi_krb5.so.2 -> libgssapi_krb5.so.2
libz.so.1 -> libz.so.1
libkrb5.so.3 -> libkrb5.so.3
libk5crypto.so.3 -> libk5crypto.so.3
/lib/tls: (hwcap: 0x8000000000000000)
libc.so.6 -> libc.so.6
libpthread.so.0 -> libpthread.so.0
librt.so.1 -> librt.so.1
They are definitely WAY different as you can see.
For the strace, I have attached the output of what I received. There are
three files that it produced: sftp.log.1777 should contain the PID for the
[priv] connection from the client side.
(See attached file: sftp.log.1816)(See attached file: sftp.log.1777)(See
attached file: sftp.log.1815)
______________________________________
Gary Autiello, Network +, MCITP
Network Administrator
Dominion Diagnostics, LLC
x886, 401-667-0886
From: Kaleb Pederson <kaleb.pederson at gmail.com>
To: Gary Autiello <gautiello at dominiondiagnostics.com>
Cc: scponly at lists.ccs.neu.edu
Date: 10/28/2010 01:58 PM
Subject: Re: Troubles with scponly-4.8
Here's a few things to try in order of increasing complexity:
1) Set the debuglevel to 1
2) run ldconfig -r /path/to/chroot -v and verify that no missing libraries
are found
[Optionally -- if you have a shell with no dependencies you can install
temporarily]:
2.a) copy /bin/sash or /bin/dash (a shell with no dependencies) into the
chroot, then chroot using 'chroot /path/to/chroot /bin/sash' and then
run /usr/libexec/openssh/sftp-server manually and see if it runs. Don't
forget to remove the shell when you're done.
3) Strace the program as illustrated here:
http://sublimation.org/scponly/wiki/index.php/FAQ#I_still_can.27t_find_my_problem.2C_what_else_can_I_try.3F
#3 should provide plenty of information that will allow us to figure out
what's going, but it's a slightly cumbersome process.
--
Kaleb Pederson
Blog - http://kalebpederson.com
Twitter - http://twitter.com/kalebpederson
On Thursday, October 28, 2010 10:44:16 am Gary Autiello wrote:
>
> Hey Kaleb,
>
> Thanks for your reply.
>
> The chroot-building script did copy over the sftp-server as you can see
in
> the screen shot below. The chrooted environment for the user
> is /apps/home/garytest/:
>
>
> I will look for that python script, but if you have any more ideas,
please
> let me know.
>
> Thanks,
> ______________________________________
> Gary Autiello, Network +, MCITP
> Network Administrator
> Dominion Diagnostics, LLC
> x886, 401-667-0886
>
>
>
>
>
> From: Kaleb Pederson <kaleb.pederson at gmail.com>
> To: Gary Autiello <gautiello at dominiondiagnostics.com>
> Cc: scponly at lists.ccs.neu.edu
> Date: 10/28/2010 01:39 PM
> Subject: Re: Troubles with scponly-4.8
>
>
>
> Gary,
>
> I'm CCing the list now that you're subscribed.
>
> The following is the culprit (or at least part of the problem):
>
> > Oct 28 17:15:09 garytest139 scponly[32425]:
> > failed: /usr/libexec/openssh/sftp-server -l INFO -f LOCAL6 with error
No
> > such file or directory(2) (username: garytest(813), IP/port:
192.168.1.43
> > 49384 22)
>
> It looks as if the sftp-server wasn't copied into the chroot. The
> chroot-building script isn't very powerful and has some problems. I'd
> actually recommend Jailkit (http://olivier.sessink.nl/jailkit/) for
> building the chroot.
>
> If not using Jailkit, once the basic chroot is setup and functional,
> there's a python script that I wrote that should be in the archives
> somewhere that you can use to add or update supporting libraries for
> whatever programs you want to copy into the chroot.
>
> Once you've copied over the sftp-server, please let me know if you run
into
> any problems.
>
> --Kaleb
>
> CONFIDENTIALITY NOTICE: This e-mail, including attachments,
> is for the sole use of the individual to whom it is addressed
> This message is confidential and may contain information that
> is privileged, confidential and is exempt from disclosure under
> applicable law. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you have received this e-mail
> in error, please notify the sender by reply e-mail and destroy
> this message and its attachments
>
>
CONFIDENTIALITY NOTICE: This e-mail, including attachments,
is for the sole use of the individual to whom it is addressed
This message is confidential and may contain information that
is privileged, confidential and is exempt from disclosure under
applicable law. Any unauthorized review, use, disclosure or
distribution is prohibited. If you have received this e-mail
in error, please notify the sender by reply e-mail and destroy
this message and its attachments
-------------- next part --------------
HTML attachment scrubbed and removed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2E979717.jpg
Type: image/jpeg
Size: 5238 bytes
Desc: not available
Url : http://lists.ccs.neu.edu/pipermail/scponly/attachments/20101028/a4741414/attachment-0001.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://lists.ccs.neu.edu/pipermail/scponly/attachments/20101028/a4741414/attachment-0001.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sftp.log.1816
Type: application/octet-stream
Size: 16355 bytes
Desc: not available
Url : http://lists.ccs.neu.edu/pipermail/scponly/attachments/20101028/a4741414/attachment-0003.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sftp.log.1777
Type: application/octet-stream
Size: 69139 bytes
Desc: not available
Url : http://lists.ccs.neu.edu/pipermail/scponly/attachments/20101028/a4741414/attachment-0004.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sftp.log.1815
Type: application/octet-stream
Size: 9731 bytes
Desc: not available
Url : http://lists.ccs.neu.edu/pipermail/scponly/attachments/20101028/a4741414/attachment-0005.obj
More information about the scponly
mailing list