[scponly] scponly on AIX with IBMs patches to OpenSSH
Eckert, Doug
Doug.Eckert at dowjones.com
Fri Oct 19 08:25:47 EDT 2012
Greetings,
We also ran into this after applying the same update. I found this thread,
downloaded the latest daily snapshot, and applied the patch below. SFTP started
working again. However, SCP stopped.
We have 2 classes of file transfer/input users. External users who come in to an sshd
running on port 2112 who are forced into SFTP using Match Group and ForceCommand
directives. These users work fine with shell=scponly ("m patch" applied).
The other users are internal who come in on port 22. Some use SFTP, some SCP. Post-patch,
the SCP users are being denied. I set up debugging and here's what I captured for
one such session:
Oct 19 08:06:27 sbktesaix02 auth|security:info sshd[5308482]: Accepted password for XXXXXX from www.xxx.yyy.zzz port 53455 ssh2
Oct 19 08:06:27 sbktesaix02 auth|security:info scponly[4980864]: using netbsd's bundled getopt_long
Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]: 3 arguments in total.
Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]: arg 0 is scponly
Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]: arg 1 is -c
Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]: arg 2 is scp -v -t -- /tmp
Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]: opened log at LOG_AUTH, opts 0x00000009
Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]: determined USER is "XXXXXX" from environment
Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]: retrieved home directory of "/home/XXXXXX" for user "XXXXXX"
Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]: setting uid to 500
Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]: processing request: "scp -v -t -- /tmp"
Oct 19 08:06:27 sbktesaix02 auth|security:err|error scponly[4980864]: denied request: scp -v -t -- /tmp [username: XXXXXX(500), IP/port: www.xxx.yyy.zzz 53455 22]
Oct 19 08:06:27 sbktesaix02 auth|security:info sshd[5242894]: Received disconnect from www.xxx.yyy.zzz: 11: disconnected by user
If I use the pre-patched scponly for their shell, file transfers succeed.
--Doug
> On Sun, Dec 11, 2011 at 3:07 AM, Frank Fegert <fra.nospam.nk at gmx.de<https://lists.ccs.neu.edu/bin/listinfo/scponly>> wrote:
> Hello,
>
> just a heads-up: After a recent AIX update (6.1.5.1 -> 6.1.7.1) i
> found that sftp connections via scponly would fail. After adding
> the attached patch, things started working again. I opened a PMR
> with IBM to clarify. Apparently they patched the OpenSSH sftp-server
> and introduced a "-m" command line option, which is used to pass a
> path to an alternative sshd_config file. Unfortunately they missed
> to patch the "sftp-server -h" output as well as the sftp-server man
> page, so it was a bit of a head scratcher at first :-(
>
> Best regards,
>
> Frank
>
>
> #################################################################
> --- scponly.c.orig 2011-12-05 12:41:18.000000000 +0100
> +++ scponly.c 2011-12-05 12:44:03.000000000 +0100
> @@ -160,7 +160,7 @@
> * program name use getopt? strict optlist? badarg optlist longopts\n
> */
> #ifdef ENABLE_SFTP
> - { PROG_SFTP_SERVER, 1, 1, NULL, "f:l:u:", empty_longopts },
> + { PROG_SFTP_SERVER, 1, 1, NULL, "f:l:u:m:", empty_longopts },
> #endif
> #ifdef ENABLE_SCP2
> { PROG_SCP, 1, 1, "SoF", "dfl:prtvBCc:i:P:q1246S:o:F:", empty_longopts },
>
Doug Eckert
Technical Architect
Global Business Technology
Dow Jones | A News Corporation Company
P.O. Box 300 | Princeton NJ 08543-0300
(W) 609.520.4993 (C) 732.666.3681
Email: doug.eckert at dowjones.com<mailto:alias at dowjones.com>
[Description: djt_logo_small]
-------------- next part --------------
HTML attachment scrubbed and removed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3137 bytes
Desc: image001.jpg
Url : http://lists.ccs.neu.edu/pipermail/scponly/attachments/20121019/b2ef2771/attachment.jpg
More information about the scponly
mailing list