[scponly] setting up chroot jail on solaris 8 (intel)

Chris Cheshire ccheshire at bigredwire.com
Mon Aug 23 13:55:55 EDT 2004 

Hi,

I have openssh 3.8.1p1 installed (from sunfreeware.com) and have been 
trying to configure scponly to use a chrooted jail. I can get scponly to 
work fine with sftp but scponlyc doesn't. The setup_chroot.sh doesn't 
work on this platform so I tried to manually do the bits and pieces, as 
well as follow other suggestions from the archives here, but ssh seems 
to close the connection straight after the key handshaking is done. (ssh 
is configured to only do key authentication, not password).

The user dir has this structure:
.:
bin  etc  lib  pub  usr

./bin:
chgrp   chmod   chown   echo    groups  id      ln      ls      mkdir 
mv      pwd     rm      rmdir

./etc:
passwd

./lib:
ld.so.1

./pub:

./usr:
lib    local

./usr/lib:
libaio.so.1      libdl.so.1       libnsl.so.1      libresolv.so.2 
libsocket.so.1
libc.so.1        libgen.so.1      libpam.so.1      librt.so.1 
nss_compat.so.1
libcmd.so.1      libmp.so.2       libproject.so.1  libsecdb.so.1 
nss_files.so.1

./usr/local:
bin      lib      libexec  ssl

./usr/local/bin:
scp

./usr/local/lib:
libgcc_s.so.1  libz.so

./usr/local/libexec:
sftp-server

./usr/local/ssl:
lib

./usr/local/ssl/lib:
libcrypto.so.0.9.7

Everything but the pub dir is writable only by root, but readable and 
executable by all.

The debug output from ssh from when it spawns the sftp-server subsystem is:
......
debug1: session_input_channel_req: session 0 req subsystem
subsystem request for sftp
debug1: subsystem: exec() /usr/local/libexec/sftp-server
debug1: Received SIGCHLD.
debug2: fd 11 setting O_NONBLOCK
debug2: fd 11 is O_NONBLOCK
debug2: notify_done: reading
debug1: session_by_pid: pid 14240
debug1: session_exit_message: session 0 channel 0 pid 14240
debug2: channel 0: request exit-signal
debug1: session_exit_message: release channel 0
debug2: channel 0: write failed
debug2: channel 0: close_write
debug2: channel 0: output open -> closed
debug1: session_close: session 0 pid 14240
debug2: channel 0: read<=0 rfd 11 len 0
debug2: channel 0: read failed
debug2: channel 0: close_read
debug2: channel 0: input open -> drain
debug2: channel 0: ibuf empty
debug2: channel 0: send eof
debug2: channel 0: input drain -> closed
debug2: channel 0: send close
debug3: channel 0: will not send data after close
debug3: channel 0: will not send data after close
debug2: channel 0: rcvd close
debug3: channel 0: will not send data after close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: server-session, nchannels 1
debug3: channel 0: status: The following connections are open:
   #0 server-session (t4 r0 i3/0 o3/0 fd 11/11)

debug3: channel 0: close_fds r 11 w 11 e -1
Connection closed by ....
debug1: do_cleanup
Closing connection to ....
debug3: mm_request_send entering: type 56
debug3: monitor_read: checking request 56
debug3: mm_answer_term: tearing down sessions


A succesful connection with just scponly as the shell looks like this:
....
subsystem request for sftp
debug1: subsystem: exec() /usr/local/libexec/sftp-server
debug2: fd 11 setting O_NONBLOCK
debug2: fd 11 is O_NONBLOCK
debug2: channel 0: rcvd adjust 916


Have I missed copying any libraries or commands to the jail? Any other 
suggestions? Are there special permissions that need setting on anything?

Thanks

Chris

More information about the scponly mailing list