[scponly] scponly on AIX with IBMs patches to OpenSSH

Eckert, Doug Doug.Eckert at dowjones.com
Wed Oct 24 11:30:37 EDT 2012 

Thanks Kaleb,

Yes, debuglevel is set:

# ls -ltr
total 8
-rw-r--r--    1 root     system            2 Oct 19 08:03 debuglevel
# cat debuglevel
1

If there’s some way to get more verbosity just let me know.  I really appreciate you taking the time to have a look.

Doug Eckert


From: Kaleb Pederson [mailto:kaleb.pederson at gmail.com]
Sent: Wednesday, October 24, 2012 11:15 AM
To: Eckert, Doug
Cc: scponly at lists.ccs.neu.edu
Subject: Re: [scponly] scponly on AIX with IBMs patches to OpenSSH

Thanks for the report Doug. I bookmarked this last week but still haven't had a chance to look at it.

One quick question that may make the problem obvious to me:

Do you have debuglevel set? i.e.: echo 1 > $INSTALLDIR/etc/scponly/debuglevel

If not, can you set it, re-execute the command, and send me the output?

Thanks.

--Kaleb

On Fri, Oct 19, 2012 at 5:25 AM, Eckert, Doug <Doug.Eckert at dowjones.com<mailto:Doug.Eckert at dowjones.com>> wrote:

Greetings,



We also ran into this after applying the same update.  I found this thread,

downloaded the latest daily snapshot, and applied the patch below.  SFTP started

working again.  However, SCP stopped.



We have 2 classes of file transfer/input users.  External users who come in to an sshd

running on port 2112 who are forced into SFTP using Match Group and ForceCommand

directives.  These users work fine with shell=scponly (“m patch” applied).



The other users are internal who come in on port 22.  Some use SFTP, some SCP. Post-patch,

the SCP users are being denied.  I set up debugging and here’s what I captured for

one such session:



Oct 19 08:06:27 sbktesaix02 auth|security:info sshd[5308482]: Accepted password for XXXXXX from www.xxx.yyy.zzz<http://www.xxx.yyy.zzz> port 53455 ssh2

Oct 19 08:06:27 sbktesaix02 auth|security:info scponly[4980864]: using netbsd's bundled getopt_long

Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]: 3 arguments in total.

Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]:       arg 0 is scponly

Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]:       arg 1 is -c

Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]:       arg 2 is scp -v -t -- /tmp

Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]: opened log at LOG_AUTH, opts 0x00000009

Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]: determined USER is "XXXXXX" from environment

Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]: retrieved home directory of "/home/XXXXXX" for user "XXXXXX"

Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]: setting uid to 500

Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]: processing request: "scp -v -t -- /tmp"

Oct 19 08:06:27 sbktesaix02 auth|security:err|error scponly[4980864]: denied request: scp -v -t -- /tmp [username: XXXXXX(500), IP/port: www.xxx.yyy.zzz<http://www.xxx.yyy.zzz> 53455 22]

Oct 19 08:06:27 sbktesaix02 auth|security:info sshd[5242894]: Received disconnect from www.xxx.yyy.zzz<http://www.xxx.yyy.zzz>: 11: disconnected by user



If I use the pre-patched scponly for their shell, file transfers succeed.



--Doug







> On Sun, Dec 11, 2011 at 3:07 AM, Frank Fegert <fra.nospam.nk at gmx.de<https://lists.ccs.neu.edu/bin/listinfo/scponly>> wrote:

> Hello,

>

> just a heads-up: After a recent AIX update (6.1.5.1 -> 6.1.7.1) i

> found that sftp connections via scponly would fail. After adding

> the attached patch, things started working again. I opened a PMR

> with IBM to clarify. Apparently they patched the OpenSSH sftp-server

> and introduced a "-m" command line option, which is used to pass a

> path to an alternative sshd_config file. Unfortunately they missed

> to patch the "sftp-server -h" output as well as the sftp-server man

> page, so it was a bit of a head scratcher at first :-(

>

> Best regards,

>

>    Frank

>

>

> #################################################################

> --- scponly.c.orig      2011-12-05 12:41:18.000000000 +0100

> +++ scponly.c   2011-12-05 12:44:03.000000000 +0100

> @@ -160,7 +160,7 @@

>         * program name         use getopt?             strict optlist? badarg                  optlist                 longopts\n

>         */

>  #ifdef ENABLE_SFTP

> -       { PROG_SFTP_SERVER,     1,                              1,                              NULL,                   "f:l:u:",               empty_longopts },

> +       { PROG_SFTP_SERVER,     1,                              1,                              NULL,                   "f:l:u:m:",             empty_longopts },

>  #endif

>  #ifdef ENABLE_SCP2

>        { PROG_SCP,             1,                              1,                              "SoF",                  "dfl:prtvBCc:i:P:q1246S:o:F:", empty_longopts },

>


Doug Eckert
Technical Architect
Global Business Technology
Dow Jones | A News Corporation Company
P.O. Box 300 | Princeton NJ 08543-0300
(W) 609.520.4993<tel:609.520.4993> (C) 732.666.3681<tel:732.666.3681>
Email: doug.eckert at dowjones.com<mailto:alias at dowjones.com>
 [Description: djt_logo_small]


_______________________________________________
scponly mailing list
scponly at lists.ccs.neu.edu<mailto:scponly at lists.ccs.neu.edu>
https://lists.ccs.neu.edu/bin/listinfo/scponly

-------------- next part --------------
HTML attachment scrubbed and removed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 3137 bytes
Desc: image001.jpg
Url : http://lists.ccs.neu.edu/pipermail/scponly/attachments/20121024/5b7724c8/attachment-0001.jpg

More information about the scponly mailing list