[scponly] Troubles with scponly-4.8

Gary Autiello gautiello at dominiondiagnostics.com
Thu Oct 28 14:56:01 EDT 2010


Ok, the output of the ldd /usr/libexec/openssh/sftp-server was:

[root at garytest139 gautiello]# ldd /usr/libexec/openssh/sftp-server
        libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002b6056c3f000)
        libutil.so.1 => /lib64/libutil.so.1 (0x00002b6056f90000)
        libz.so.1 => /usr/lib64/libz.so.1 (0x00002b6057193000)
        libnsl.so.1 => /lib64/libnsl.so.1 (0x00002b60573a8000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002b60575c0000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00002b60577f8000)
        libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2
(0x00002b6057a0e000)
        libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002b6057c3c000)
        libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3
(0x00002b6057ed1000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002b60580f7000)
        libnss3.so => /usr/lib64/libnss3.so (0x00002b60582f9000)
        libc.so.6 => /lib64/libc.so.6 (0x00002b6058626000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00002b605897e000)
        libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0
(0x00002b6058b82000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002b6058d8a000)
        libnssutil3.so => /usr/lib64/libnssutil3.so (0x00002b6058f8d000)
        libplc4.so => /usr/lib64/libplc4.so (0x00002b60591ab000)
        libplds4.so => /usr/lib64/libplds4.so (0x00002b60593af000)
        libnspr4.so => /usr/lib64/libnspr4.so (0x00002b60595b3000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00002b60597ee000)
        /lib64/ld-linux-x86-64.so.2 (0x00002b6056a22000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00002b6059a09000)
        libsepol.so.1 => /lib64/libsepol.so.1 (0x00002b6059c22000)

Your script did:

[root at garytest139
gautiello]# ./cplibdeps /apps/home/garytest /usr/libexec/openssh/sftp-server
Examining dependencies of /usr/libexec/openssh/sftp-server...
Copying /usr/libexec/openssh/sftp-server
=> /apps/home/garytest//usr/libexec/openssh/sftp-server
Copying /lib64/ld-2.5.so => /apps/home/garytest//lib64/ld-2.5.so
Copying /lib64/libc-2.5.so => /apps/home/garytest//lib64/libc-2.5.so
Copying /lib64/libcom_err.so.2.1
=> /apps/home/garytest//lib64/libcom_err.so.2.1
Copying /lib64/libcrypt-2.5.so
=> /apps/home/garytest//lib64/libcrypt-2.5.so
Copying /lib64/libcrypto.so.0.9.8e
=> /apps/home/garytest//lib64/libcrypto.so.0.9.8e
Copying /lib64/libdl-2.5.so => /apps/home/garytest//lib64/libdl-2.5.so
Copying /lib64/libkeyutils-1.2.so
=> /apps/home/garytest//lib64/libkeyutils-1.2.so
Copying /lib64/libnsl-2.5.so => /apps/home/garytest//lib64/libnsl-2.5.so
Copying /lib64/libpthread-2.5.so
=> /apps/home/garytest//lib64/libpthread-2.5.so
Copying /lib64/libresolv-2.5.so
=> /apps/home/garytest//lib64/libresolv-2.5.so
Copying /lib64/libselinux.so.1
=> /apps/home/garytest//lib64/libselinux.so.1
Copying /lib64/libsepol.so.1 => /apps/home/garytest//lib64/libsepol.so.1
Copying /lib64/libutil-2.5.so => /apps/home/garytest//lib64/libutil-2.5.so
Copying /usr/lib64/libgssapi_krb5.so.2.2
=> /apps/home/garytest//usr/lib64/libgssapi_krb5.so.2.2
Copying /usr/lib64/libk5crypto.so.3.1
=> /apps/home/garytest//usr/lib64/libk5crypto.so.3.1
Copying /usr/lib64/libkrb5.so.3.3
=> /apps/home/garytest//usr/lib64/libkrb5.so.3.3
Copying /usr/lib64/libkrb5support.so.0.1
=> /apps/home/garytest//usr/lib64/libkrb5support.so.0.1
Copying /usr/lib64/libnspr4.so
=> /apps/home/garytest//usr/lib64/libnspr4.so
Copying /usr/lib64/libnss3.so => /apps/home/garytest//usr/lib64/libnss3.so
Copying /usr/lib64/libnssutil3.so
=> /apps/home/garytest//usr/lib64/libnssutil3.so
Copying /usr/lib64/libplc4.so => /apps/home/garytest//usr/lib64/libplc4.so
Copying /usr/lib64/libplds4.so
=> /apps/home/garytest//usr/lib64/libplds4.so
Copying /usr/lib64/libz.so.1.2.3
=> /apps/home/garytest//usr/lib64/libz.so.1.2.3

Still not working... :-(
______________________________________
Gary Autiello, Network +, MCITP
Network Administrator
Dominion Diagnostics, LLC
x886, 401-667-0886





From:	Kaleb Pederson <kaleb.pederson at gmail.com>
To:	Gary Autiello <gautiello at dominiondiagnostics.com>
Cc:	scponly at lists.ccs.neu.edu
Date:	10/28/2010 02:37 PM
Subject:	Re: Troubles with scponly-4.8



From the strace log:

execve("/usr/libexec/openssh/sftp-server",
["/usr/libexec/openssh/sftp-server"], [/* 0 vars */]) = -1 ENOENT (No such
file or directory)

As the executable exists this implies that it's missing a dependent
library.

What does the following report: `ldd /usr/libexec/openssh/sftp-server`? All
the libraries that it depends on should be present in your ldconfig output
below.

My python script (attached) should detect all required libraries and add
them to the chroot.  Here's the usage:

cplibdeps /path/to/chroot /path/to/exe1 [/path/to/exe2 ...]

In your case:

cplibdeps /apps/home/garytest /usr/libexec/openssh/sftp-server

--
Kaleb Pederson

Blog - http://kalebpederson.com
Twitter - http://twitter.com/kalebpederson

On Thursday, October 28, 2010 11:17:11 am Gary Autiello wrote:
>
> Hi Kaleb,
>
> Ok I was able to do items 1, 2, and 3 except for the temp shell as I'm
not
> sure how to get /bin/sash or /bin/dash setup.
>
> When I ran the ldconfig command I got the following:
>
> [root at garytest139 usr]# ldconfig -r /apps/home/garytest -v
> ldconfig: Can't stat /usr/lib: No such file or directory
> /lib:
>         ld-linux.so.2 -> ld-linux.so.2
>         libnss_compat.so.2 -> libnss_compat.so.2
> /lib64:
>         libresolv.so.2 -> libresolv.so.2
>         libdl.so.2 -> libdl.so.2
>         libsepol.so.1 -> libsepol.so.1
>         libselinux.so.1 -> libselinux.so.1
>         libcrypt.so.1 -> libcrypt.so.1
>         libcom_err.so.2 -> libcom_err.so.2
>         libpthread.so.0 -> libpthread.so.0
>         libcrypto.so.6 -> libcrypto.so.6
>         libc.so.6 -> libc.so.6
>         libutil.so.1 -> libutil.so.1
>         libnsl.so.1 -> libnsl.so.1
>         libkeyutils.so.1 -> libkeyutils.so.1
> /usr/lib64:
>         libgssapi_krb5.so.2 -> libgssapi_krb5.so.2
>         libz.so.1 -> libz.so.1
>         libplds4.so -> libplds4.so
>         libnspr4.so -> libnspr4.so
>         libkrb5.so.3 -> libkrb5.so.3
>         libplc4.so -> libplc4.so
>         libnssutil3.so -> libnssutil3.so
>         libk5crypto.so.3 -> libk5crypto.so.3
>         libkrb5support.so.0 -> libkrb5support.so.0
>         libnss3.so -> libnss3.so
>
> I'm assuming the fact that /usr/lib was not found, is a problem.  So, I
> logged onto our old server and ran the same command for a comparison:
>
> [root at taurus home]# ldconfig -r /apps/home/13079/ -v
> /lib:
>         libcrypt.so.1 -> libcrypt.so.1
>         libnss_compat.so.1 -> libnss_compat.so.1
>         libutil.so.1 -> libutil.so.1
>         libresolv.so.2 -> libresolv.so.2
>         libattr.so.1 -> libattr.so.1
>         ld-linux.so.2 -> ld-linux.so.2
>         libcrypto.so.4 -> libcrypto.so.4
>         libnss_compat.so.2 -> libnss_compat.so.2
>         libselinux.so.1 -> libselinux.so.1
>         libcom_err.so.2 -> libcom_err.so.2
>         libnsl.so.1 -> libnsl.so.1
>         libacl.so.1 -> libacl.so.1
>         libdl.so.2 -> libdl.so.2
> /usr/lib:
>         libgssapi_krb5.so.2 -> libgssapi_krb5.so.2
>         libz.so.1 -> libz.so.1
>         libkrb5.so.3 -> libkrb5.so.3
>         libk5crypto.so.3 -> libk5crypto.so.3
> /lib/tls: (hwcap: 0x8000000000000000)
>         libc.so.6 -> libc.so.6
>         libpthread.so.0 -> libpthread.so.0
>         librt.so.1 -> librt.so.1
>
> They are definitely WAY different as you can see.
>
> For the strace, I have attached the output of what I received.  There are
> three files that it produced:  sftp.log.1777 should contain the PID for
the
> [priv] connection from the client side.
>
> (See attached file: sftp.log.1816)(See attached file: sftp.log.1777)(See
> attached file: sftp.log.1815)
> ______________________________________
> Gary Autiello, Network +, MCITP
> Network Administrator
> Dominion Diagnostics, LLC
> x886, 401-667-0886
>
>
>
>
>
> From:		 Kaleb Pederson <kaleb.pederson at gmail.com>
> To:		 Gary Autiello <gautiello at dominiondiagnostics.com>
> Cc:		 scponly at lists.ccs.neu.edu
> Date:		 10/28/2010 01:58 PM
> Subject:		 Re: Troubles with scponly-4.8
>
>
>
> Here's a few things to try in order of increasing complexity:
>
> 1) Set the debuglevel to 1
> 2) run ldconfig -r /path/to/chroot -v and verify that no missing
libraries
> are found
>
> [Optionally -- if you have a shell with no dependencies you can install
> temporarily]:
> 2.a) copy /bin/sash or /bin/dash (a shell with no dependencies) into the
> chroot, then chroot using 'chroot /path/to/chroot /bin/sash' and then
> run /usr/libexec/openssh/sftp-server manually and see if it runs. Don't
> forget to remove the shell when you're done.
>
> 3) Strace the program as illustrated here:
>
http://sublimation.org/scponly/wiki/index.php/FAQ#I_still_can.27t_find_my_problem.2C_what_else_can_I_try.3F

>
>
> #3 should provide plenty of information that will allow us to figure out
> what's going, but it's a slightly cumbersome process.
>
> --
> Kaleb Pederson
>
> Blog - http://kalebpederson.com
> Twitter - http://twitter.com/kalebpederson
>
> On Thursday, October 28, 2010 10:44:16 am Gary Autiello wrote:
> >
> > Hey Kaleb,
> >
> > Thanks for your reply.
> >
> > The chroot-building script did copy over the sftp-server as you can see
> in
> > the screen shot below.  The chrooted environment for the user
> > is /apps/home/garytest/:
> >
> >
> > I will look for that python script, but if you have any more ideas,
> please
> > let me know.
> >
> > Thanks,
> > ______________________________________
> > Gary Autiello, Network +, MCITP
> > Network Administrator
> > Dominion Diagnostics, LLC
> > x886, 401-667-0886
> >
> >
> >
> >
> >
> > From:		 		  Kaleb Pederson <kaleb.pederson at gmail.com>
> > To:		 		  Gary Autiello
<gautiello at dominiondiagnostics.com>
> > Cc:		 		  scponly at lists.ccs.neu.edu
> > Date:		 		  10/28/2010 01:39 PM
> > Subject:		 		  Re: Troubles with scponly-4.8
> >
> >
> >
> > Gary,
> >
> > I'm CCing the list now that you're subscribed.
> >
> > The following is the culprit (or at least part of the problem):
> >
> > > Oct 28 17:15:09 garytest139 scponly[32425]:
> > > failed: /usr/libexec/openssh/sftp-server -l INFO -f LOCAL6 with error
> No
> > > such file or directory(2) (username: garytest(813), IP/port:
> 192.168.1.43
> > > 49384 22)
> >
> > It looks as if the sftp-server wasn't copied into the chroot.  The
> > chroot-building script isn't very powerful and has some problems. I'd
> > actually recommend Jailkit (http://olivier.sessink.nl/jailkit/) for
> > building the chroot.
> >
> > If not using Jailkit, once the basic chroot is setup and functional,
> > there's a python script that I wrote that should be in the archives
> > somewhere that you can use to add or update supporting libraries for
> > whatever programs you want to copy into the chroot.
> >
> > Once you've copied over the sftp-server, please let me know if you run
> into
> > any problems.
> >
> > --Kaleb
> >
> > CONFIDENTIALITY NOTICE: This e-mail, including attachments,
> > is for the sole use of the individual to whom it is addressed
> > This message is confidential and may contain information that
> > is privileged, confidential and is exempt from disclosure under
> > applicable law. Any unauthorized review, use, disclosure or
> > distribution is prohibited. If you have received this e-mail
> > in error, please notify the sender by reply e-mail and destroy
> > this message and its attachments
> >
> >
>
> CONFIDENTIALITY NOTICE: This e-mail, including attachments,
> is for the sole use of the individual to whom it is addressed
> This message is confidential and may contain information that
> is privileged, confidential and is exempt from disclosure under
> applicable law. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you have received this e-mail
> in error, please notify the sender by reply e-mail and destroy
> this message and its attachments
>
>
[attachment "cplibdeps" deleted by Gary Autiello/domdiag]

CONFIDENTIALITY NOTICE: This e-mail, including attachments,
is for the sole use of the individual to whom it is addressed
This message is confidential and may contain information that
is privileged, confidential and is exempt from disclosure under
applicable law. Any unauthorized review, use, disclosure or
distribution is prohibited. If you have received this e-mail
in error, please notify the sender by reply e-mail and destroy
this message and its attachments

-------------- next part --------------
HTML attachment scrubbed and removed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2E422399.jpg
Type: image/jpeg
Size: 5238 bytes
Desc: not available
Url : http://lists.ccs.neu.edu/pipermail/scponly/attachments/20101028/a4023fda/attachment-0001.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://lists.ccs.neu.edu/pipermail/scponly/attachments/20101028/a4023fda/attachment-0001.gif 


More information about the scponly mailing list