[scponly] Troubles with scponly-4.8
Gary Autiello
gautiello at dominiondiagnostics.com
Thu Oct 28 15:12:56 EDT 2010
Hey Kaleb,
Ok so I ran the ldconfig command and the output was:
[root at garytest139 home]# ldconfig -r /apps/home/garytest/ -v
ldconfig: Can't stat /usr/lib: No such file or directory
/lib:
ld-linux.so.2 -> ld-linux.so.2
libnss_compat.so.2 -> libnss_compat.so.2
/lib64:
ld-linux-x86-64.so.2 -> ld-2.5.so (changed)
libsepol.so.1 -> libsepol.so.1
libselinux.so.1 -> libselinux.so.1
libcrypt.so.1 -> libcrypt.so.1
libpthread.so.0 -> libpthread.so.0
libcrypto.so.6 -> libcrypto.so.6
libc.so.6 -> libc.so.6
libutil.so.1 -> libutil.so.1
ldconfig: /lib64/libcom_err.so.2 is not a symbolic link
libcom_err.so.2 -> libcom_err.so.2.1
libresolv.so.2 -> libresolv.so.2
libnsl.so.1 -> libnsl.so.1
libkeyutils.so.1 -> libkeyutils.so.1
libdl.so.2 -> libdl.so.2
/usr/lib64:
ldconfig: /usr/lib64/libz.so.1 is not a symbolic link
libz.so.1 -> libz.so.1.2.3
libplds4.so -> libplds4.so
libnspr4.so -> libnspr4.so
ldconfig: /usr/lib64/libkrb5.so.3 is not a symbolic link
libkrb5.so.3 -> libkrb5.so.3.3
libplc4.so -> libplc4.so
libnssutil3.so -> libnssutil3.so
ldconfig: /usr/lib64/libk5crypto.so.3 is not a symbolic link
libk5crypto.so.3 -> libk5crypto.so.3.1
ldconfig: /usr/lib64/libgssapi_krb5.so.2 is not a symbolic link
libgssapi_krb5.so.2 -> libgssapi_krb5.so.2.2
ldconfig: /usr/lib64/libkrb5support.so.0 is not a symbolic link
libkrb5support.so.0 -> libkrb5support.so.0.1
libnss3.so -> libnss3.so
Further more, when I tried to connect and watched the secure log, I see the
following and no longer anything about the file/directory not existing:
Oct 28 15:05:56 garytest139 sshd[5385]: Accepted password for garytest from
192.168.9.11 port 38447 ssh2
Oct 28 15:05:56 garytest139 sshd[5385]: pam_unix(sshd:session): session
opened for user garytest by (uid=0)
Oct 28 15:05:56 garytest139 sshd[5387]: subsystem request for sftp
Oct 28 15:05:56 garytest139 scponly[5388]: chrooted binary in place, will
chroot()
Oct 28 15:05:56 garytest139 scponly[5388]: 3 arguments in total.
Oct 28 15:05:56 garytest139 scponly[5388]: arg 0 is scponlyc
Oct 28 15:05:56 garytest139 scponly[5388]: arg 1 is -c
Oct 28 15:05:56 garytest139 scponly[5388]: arg 2
is /usr/libexec/openssh/sftp-server
Oct 28 15:05:56 garytest139 scponly[5388]: opened log at LOG_AUTHPRIV, opts
0x00000009
Oct 28 15:05:56 garytest139 scponly[5388]: determined USER is "garytest"
from environment
Oct 28 15:05:56 garytest139 scponly[5388]: retrieved home directory of
"/apps/home/garytest" for user "garytest"
Oct 28 15:05:56 garytest139 scponly[5388]: chrooting to dir:
"/apps/home/garytest"
Oct 28 15:05:56 garytest139 scponly[5388]: chdiring to dir: "/"
Oct 28 19:05:56 garytest139 scponly[5388]: setting uid to 813
Oct 28 19:05:56 garytest139 scponly[5388]: processing request:
"/usr/libexec/openssh/sftp-server"
Oct 28 19:05:56 garytest139 scponly[5388]: Using getopt processing for
cmd /usr/libexec/openssh/sftp-server (username: garytest(813), IP/port:
192.168.9.11 38447 22)
Oct 28 19:05:56 garytest139 scponly[5388]:
running: /usr/libexec/openssh/sftp-server (username: garytest(813),
IP/port: 192.168.9.11 38447 22)
Oct 28 19:05:56 garytest139 scponly[5388]: about to exec
"/usr/libexec/openssh/sftp-server" (username: garytest(813), IP/port:
192.168.9.11 38447 22)
Oct 28 15:05:56 garytest139 sshd[5385]: pam_unix(sshd:session): session
closed for user garytest
So I went ahead and ran the strace and this attached is the output.
sftp.log.5553 should be the one.
Thanks for all the help so far.
(See attached file: sftp.log.5575)(See attached file: sftp.log.5574)(See
attached file: sftp.log.5553)
______________________________________
Gary Autiello, Network +, MCITP
Network Administrator
Dominion Diagnostics, LLC
x886, 401-667-0886
From: Kaleb Pederson <kaleb.pederson at gmail.com>
To: Gary Autiello <gautiello at dominiondiagnostics.com>
Cc: scponly at lists.ccs.neu.edu
Date: 10/28/2010 03:02 PM
Subject: Re: Troubles with scponly-4.8
Ok, we're getting closer.
Rerun ldconfig:
ldconfig -r /apps/home/garytest -v
See if it works. If not, what does the syslog debug output say? If it
says something other than what it did before (i.e. file not found) then run
strace again.
--
Kaleb Pederson
Blog - http://kalebpederson.com
Twitter - http://twitter.com/kalebpederson
On Thursday, October 28, 2010 11:56:01 am Gary Autiello wrote:
>
> Ok, the output of the ldd /usr/libexec/openssh/sftp-server was:
>
> [root at garytest139 gautiello]# ldd /usr/libexec/openssh/sftp-server
> libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002b6056c3f000)
> libutil.so.1 => /lib64/libutil.so.1 (0x00002b6056f90000)
> libz.so.1 => /usr/lib64/libz.so.1 (0x00002b6057193000)
> libnsl.so.1 => /lib64/libnsl.so.1 (0x00002b60573a8000)
> libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002b60575c0000)
> libresolv.so.2 => /lib64/libresolv.so.2 (0x00002b60577f8000)
> libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2
> (0x00002b6057a0e000)
> libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002b6057c3c000)
> libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3
> (0x00002b6057ed1000)
> libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002b60580f7000)
> libnss3.so => /usr/lib64/libnss3.so (0x00002b60582f9000)
> libc.so.6 => /lib64/libc.so.6 (0x00002b6058626000)
> libdl.so.2 => /lib64/libdl.so.2 (0x00002b605897e000)
> libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0
> (0x00002b6058b82000)
> libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002b6058d8a000)
> libnssutil3.so => /usr/lib64/libnssutil3.so (0x00002b6058f8d000)
> libplc4.so => /usr/lib64/libplc4.so (0x00002b60591ab000)
> libplds4.so => /usr/lib64/libplds4.so (0x00002b60593af000)
> libnspr4.so => /usr/lib64/libnspr4.so (0x00002b60595b3000)
> libpthread.so.0 => /lib64/libpthread.so.0 (0x00002b60597ee000)
> /lib64/ld-linux-x86-64.so.2 (0x00002b6056a22000)
> libselinux.so.1 => /lib64/libselinux.so.1 (0x00002b6059a09000)
> libsepol.so.1 => /lib64/libsepol.so.1 (0x00002b6059c22000)
>
> Your script did:
>
> [root at garytest139
>
gautiello]# ./cplibdeps /apps/home/garytest /usr/libexec/openssh/sftp-server
> Examining dependencies of /usr/libexec/openssh/sftp-server...
> Copying /usr/libexec/openssh/sftp-server
> => /apps/home/garytest//usr/libexec/openssh/sftp-server
> Copying /lib64/ld-2.5.so => /apps/home/garytest//lib64/ld-2.5.so
> Copying /lib64/libc-2.5.so => /apps/home/garytest//lib64/libc-2.5.so
> Copying /lib64/libcom_err.so.2.1
> => /apps/home/garytest//lib64/libcom_err.so.2.1
> Copying /lib64/libcrypt-2.5.so
> => /apps/home/garytest//lib64/libcrypt-2.5.so
> Copying /lib64/libcrypto.so.0.9.8e
> => /apps/home/garytest//lib64/libcrypto.so.0.9.8e
> Copying /lib64/libdl-2.5.so => /apps/home/garytest//lib64/libdl-2.5.so
> Copying /lib64/libkeyutils-1.2.so
> => /apps/home/garytest//lib64/libkeyutils-1.2.so
> Copying /lib64/libnsl-2.5.so => /apps/home/garytest//lib64/libnsl-2.5.so
> Copying /lib64/libpthread-2.5.so
> => /apps/home/garytest//lib64/libpthread-2.5.so
> Copying /lib64/libresolv-2.5.so
> => /apps/home/garytest//lib64/libresolv-2.5.so
> Copying /lib64/libselinux.so.1
> => /apps/home/garytest//lib64/libselinux.so.1
> Copying /lib64/libsepol.so.1 => /apps/home/garytest//lib64/libsepol.so.1
> Copying /lib64/libutil-2.5.so
=> /apps/home/garytest//lib64/libutil-2.5.so
> Copying /usr/lib64/libgssapi_krb5.so.2.2
> => /apps/home/garytest//usr/lib64/libgssapi_krb5.so.2.2
> Copying /usr/lib64/libk5crypto.so.3.1
> => /apps/home/garytest//usr/lib64/libk5crypto.so.3.1
> Copying /usr/lib64/libkrb5.so.3.3
> => /apps/home/garytest//usr/lib64/libkrb5.so.3.3
> Copying /usr/lib64/libkrb5support.so.0.1
> => /apps/home/garytest//usr/lib64/libkrb5support.so.0.1
> Copying /usr/lib64/libnspr4.so
> => /apps/home/garytest//usr/lib64/libnspr4.so
> Copying /usr/lib64/libnss3.so
=> /apps/home/garytest//usr/lib64/libnss3.so
> Copying /usr/lib64/libnssutil3.so
> => /apps/home/garytest//usr/lib64/libnssutil3.so
> Copying /usr/lib64/libplc4.so
=> /apps/home/garytest//usr/lib64/libplc4.so
> Copying /usr/lib64/libplds4.so
> => /apps/home/garytest//usr/lib64/libplds4.so
> Copying /usr/lib64/libz.so.1.2.3
> => /apps/home/garytest//usr/lib64/libz.so.1.2.3
>
> Still not working... :-(
> ______________________________________
> Gary Autiello, Network +, MCITP
> Network Administrator
> Dominion Diagnostics, LLC
> x886, 401-667-0886
>
>
>
>
>
> From: Kaleb Pederson <kaleb.pederson at gmail.com>
> To: Gary Autiello <gautiello at dominiondiagnostics.com>
> Cc: scponly at lists.ccs.neu.edu
> Date: 10/28/2010 02:37 PM
> Subject: Re: Troubles with scponly-4.8
>
>
>
> From the strace log:
>
> execve("/usr/libexec/openssh/sftp-server",
> ["/usr/libexec/openssh/sftp-server"], [/* 0 vars */]) = -1 ENOENT (No
such
> file or directory)
>
> As the executable exists this implies that it's missing a dependent
> library.
>
> What does the following report: `ldd /usr/libexec/openssh/sftp-server`?
All
> the libraries that it depends on should be present in your ldconfig
output
> below.
>
> My python script (attached) should detect all required libraries and add
> them to the chroot. Here's the usage:
>
> cplibdeps /path/to/chroot /path/to/exe1 [/path/to/exe2 ...]
>
> In your case:
>
> cplibdeps /apps/home/garytest /usr/libexec/openssh/sftp-server
>
> --
> Kaleb Pederson
>
> Blog - http://kalebpederson.com
> Twitter - http://twitter.com/kalebpederson
>
> On Thursday, October 28, 2010 11:17:11 am Gary Autiello wrote:
> >
> > Hi Kaleb,
> >
> > Ok I was able to do items 1, 2, and 3 except for the temp shell as I'm
> not
> > sure how to get /bin/sash or /bin/dash setup.
> >
> > When I ran the ldconfig command I got the following:
> >
> > [root at garytest139 usr]# ldconfig -r /apps/home/garytest -v
> > ldconfig: Can't stat /usr/lib: No such file or directory
> > /lib:
> > ld-linux.so.2 -> ld-linux.so.2
> > libnss_compat.so.2 -> libnss_compat.so.2
> > /lib64:
> > libresolv.so.2 -> libresolv.so.2
> > libdl.so.2 -> libdl.so.2
> > libsepol.so.1 -> libsepol.so.1
> > libselinux.so.1 -> libselinux.so.1
> > libcrypt.so.1 -> libcrypt.so.1
> > libcom_err.so.2 -> libcom_err.so.2
> > libpthread.so.0 -> libpthread.so.0
> > libcrypto.so.6 -> libcrypto.so.6
> > libc.so.6 -> libc.so.6
> > libutil.so.1 -> libutil.so.1
> > libnsl.so.1 -> libnsl.so.1
> > libkeyutils.so.1 -> libkeyutils.so.1
> > /usr/lib64:
> > libgssapi_krb5.so.2 -> libgssapi_krb5.so.2
> > libz.so.1 -> libz.so.1
> > libplds4.so -> libplds4.so
> > libnspr4.so -> libnspr4.so
> > libkrb5.so.3 -> libkrb5.so.3
> > libplc4.so -> libplc4.so
> > libnssutil3.so -> libnssutil3.so
> > libk5crypto.so.3 -> libk5crypto.so.3
> > libkrb5support.so.0 -> libkrb5support.so.0
> > libnss3.so -> libnss3.so
> >
> > I'm assuming the fact that /usr/lib was not found, is a problem. So, I
> > logged onto our old server and ran the same command for a comparison:
> >
> > [root at taurus home]# ldconfig -r /apps/home/13079/ -v
> > /lib:
> > libcrypt.so.1 -> libcrypt.so.1
> > libnss_compat.so.1 -> libnss_compat.so.1
> > libutil.so.1 -> libutil.so.1
> > libresolv.so.2 -> libresolv.so.2
> > libattr.so.1 -> libattr.so.1
> > ld-linux.so.2 -> ld-linux.so.2
> > libcrypto.so.4 -> libcrypto.so.4
> > libnss_compat.so.2 -> libnss_compat.so.2
> > libselinux.so.1 -> libselinux.so.1
> > libcom_err.so.2 -> libcom_err.so.2
> > libnsl.so.1 -> libnsl.so.1
> > libacl.so.1 -> libacl.so.1
> > libdl.so.2 -> libdl.so.2
> > /usr/lib:
> > libgssapi_krb5.so.2 -> libgssapi_krb5.so.2
> > libz.so.1 -> libz.so.1
> > libkrb5.so.3 -> libkrb5.so.3
> > libk5crypto.so.3 -> libk5crypto.so.3
> > /lib/tls: (hwcap: 0x8000000000000000)
> > libc.so.6 -> libc.so.6
> > libpthread.so.0 -> libpthread.so.0
> > librt.so.1 -> librt.so.1
> >
> > They are definitely WAY different as you can see.
> >
> > For the strace, I have attached the output of what I received. There
are
> > three files that it produced: sftp.log.1777 should contain the PID for
> the
> > [priv] connection from the client side.
> >
> > (See attached file: sftp.log.1816)(See attached file:
sftp.log.1777)(See
> > attached file: sftp.log.1815)
> > ______________________________________
> > Gary Autiello, Network +, MCITP
> > Network Administrator
> > Dominion Diagnostics, LLC
> > x886, 401-667-0886
> >
> >
> >
> >
> >
> > From: Kaleb Pederson <kaleb.pederson at gmail.com>
> > To: Gary Autiello
<gautiello at dominiondiagnostics.com>
> > Cc: scponly at lists.ccs.neu.edu
> > Date: 10/28/2010 01:58 PM
> > Subject: Re: Troubles with scponly-4.8
> >
> >
> >
> > Here's a few things to try in order of increasing complexity:
> >
> > 1) Set the debuglevel to 1
> > 2) run ldconfig -r /path/to/chroot -v and verify that no missing
> libraries
> > are found
> >
> > [Optionally -- if you have a shell with no dependencies you can install
> > temporarily]:
> > 2.a) copy /bin/sash or /bin/dash (a shell with no dependencies) into
the
> > chroot, then chroot using 'chroot /path/to/chroot /bin/sash' and then
> > run /usr/libexec/openssh/sftp-server manually and see if it runs. Don't
> > forget to remove the shell when you're done.
> >
> > 3) Strace the program as illustrated here:
> >
>
http://sublimation.org/scponly/wiki/index.php/FAQ#I_still_can.27t_find_my_problem.2C_what_else_can_I_try.3F
>
> >
> >
> > #3 should provide plenty of information that will allow us to figure
out
> > what's going, but it's a slightly cumbersome process.
> >
> > --
> > Kaleb Pederson
> >
> > Blog - http://kalebpederson.com
> > Twitter - http://twitter.com/kalebpederson
> >
> > On Thursday, October 28, 2010 10:44:16 am Gary Autiello wrote:
> > >
> > > Hey Kaleb,
> > >
> > > Thanks for your reply.
> > >
> > > The chroot-building script did copy over the sftp-server as you can
see
> > in
> > > the screen shot below. The chrooted environment for the user
> > > is /apps/home/garytest/:
> > >
> > >
> > > I will look for that python script, but if you have any more ideas,
> > please
> > > let me know.
> > >
> > > Thanks,
> > > ______________________________________
> > > Gary Autiello, Network +, MCITP
> > > Network Administrator
> > > Dominion Diagnostics, LLC
> > > x886, 401-667-0886
> > >
> > >
> > >
> > >
> > >
> > > From: Kaleb Pederson
<kaleb.pederson at gmail.com>
> > > To: Gary Autiello
> <gautiello at dominiondiagnostics.com>
> > > Cc:
scponly at lists.ccs.neu.edu
> > > Date: 10/28/2010 01:39
PM
> > > Subject: Re: Troubles
with scponly-4.8
> > >
> > >
> > >
> > > Gary,
> > >
> > > I'm CCing the list now that you're subscribed.
> > >
> > > The following is the culprit (or at least part of the problem):
> > >
> > > > Oct 28 17:15:09 garytest139 scponly[32425]:
> > > > failed: /usr/libexec/openssh/sftp-server -l INFO -f LOCAL6 with
error
> > No
> > > > such file or directory(2) (username: garytest(813), IP/port:
> > 192.168.1.43
> > > > 49384 22)
> > >
> > > It looks as if the sftp-server wasn't copied into the chroot. The
> > > chroot-building script isn't very powerful and has some problems. I'd
> > > actually recommend Jailkit (http://olivier.sessink.nl/jailkit/) for
> > > building the chroot.
> > >
> > > If not using Jailkit, once the basic chroot is setup and functional,
> > > there's a python script that I wrote that should be in the archives
> > > somewhere that you can use to add or update supporting libraries for
> > > whatever programs you want to copy into the chroot.
> > >
> > > Once you've copied over the sftp-server, please let me know if you
run
> > into
> > > any problems.
> > >
> > > --Kaleb
> > >
> > > CONFIDENTIALITY NOTICE: This e-mail, including attachments,
> > > is for the sole use of the individual to whom it is addressed
> > > This message is confidential and may contain information that
> > > is privileged, confidential and is exempt from disclosure under
> > > applicable law. Any unauthorized review, use, disclosure or
> > > distribution is prohibited. If you have received this e-mail
> > > in error, please notify the sender by reply e-mail and destroy
> > > this message and its attachments
> > >
> > >
> >
> > CONFIDENTIALITY NOTICE: This e-mail, including attachments,
> > is for the sole use of the individual to whom it is addressed
> > This message is confidential and may contain information that
> > is privileged, confidential and is exempt from disclosure under
> > applicable law. Any unauthorized review, use, disclosure or
> > distribution is prohibited. If you have received this e-mail
> > in error, please notify the sender by reply e-mail and destroy
> > this message and its attachments
> >
> >
> [attachment "cplibdeps" deleted by Gary Autiello/domdiag]
>
> CONFIDENTIALITY NOTICE: This e-mail, including attachments,
> is for the sole use of the individual to whom it is addressed
> This message is confidential and may contain information that
> is privileged, confidential and is exempt from disclosure under
> applicable law. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you have received this e-mail
> in error, please notify the sender by reply e-mail and destroy
> this message and its attachments
>
>
CONFIDENTIALITY NOTICE: This e-mail, including attachments,
is for the sole use of the individual to whom it is addressed
This message is confidential and may contain information that
is privileged, confidential and is exempt from disclosure under
applicable law. Any unauthorized review, use, disclosure or
distribution is prohibited. If you have received this e-mail
in error, please notify the sender by reply e-mail and destroy
this message and its attachments
-------------- next part --------------
HTML attachment scrubbed and removed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2C559193.jpg
Type: image/jpeg
Size: 5238 bytes
Desc: not available
Url : http://lists.ccs.neu.edu/pipermail/scponly/attachments/20101028/6cd9cf71/attachment-0001.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://lists.ccs.neu.edu/pipermail/scponly/attachments/20101028/6cd9cf71/attachment-0001.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sftp.log.5575
Type: application/octet-stream
Size: 33316 bytes
Desc: not available
Url : http://lists.ccs.neu.edu/pipermail/scponly/attachments/20101028/6cd9cf71/attachment-0003.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sftp.log.5574
Type: application/octet-stream
Size: 9829 bytes
Desc: not available
Url : http://lists.ccs.neu.edu/pipermail/scponly/attachments/20101028/6cd9cf71/attachment-0004.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sftp.log.5553
Type: application/octet-stream
Size: 69259 bytes
Desc: not available
Url : http://lists.ccs.neu.edu/pipermail/scponly/attachments/20101028/6cd9cf71/attachment-0005.obj
More information about the scponly
mailing list