[scponly] scponly 4.6 on OpenBSD 3.9
Paul Hyder
Paul.Hyder at noaa.gov
Mon Aug 21 11:25:15 EDT 2006
As a start you need to add "--enable-winscp-compat" to the configure line
if the information below is complete.
If that doesn't work please change the value in the debuglevel file to
"1" and send the syslog output to the list. (Unless you moved it in
the install, debuglevel will be in /usr/local/etc/scponly.)
Paul Hyder
NOAA Earth System Research Laboratory, Global Systems Division
Boulder, CO
jp provision wrote:
> Hello all,
>
> I am unable to get WinSCP to successfully authenticate an sftp session. Here is my configuration:
>
> - OpenBSD 3.9 install with some basic packages.
> - scponly 4.6
> - WinSCP 3.8.2
>
> Here is how it went down:
>
> -----snip-----
> bash-3.1# ./configure --enable-chrooted-binary
> checking build system type... i386-unknown-openbsd3.9
> checking host system type... i386-unknown-openbsd3.9
> checking for gcc... gcc
> checking for C compiler default output file name... a.out
> checking whether the C compiler works... yes
> checking whether we are cross compiling... no
> checking for suffix of executables...
> checking for suffix of object files... o
> checking whether we are using the GNU C compiler... yes
> checking whether gcc accepts -g... yes
> checking for gcc option to accept ANSI C... none needed
> checking for a BSD-compatible install... /usr/bin/install -c
> checking whether ln -s works... yes
> checking for cut... /usr/bin/cut
> checking for grep... /usr/bin/grep
> checking for sort... /usr/bin/sort
> checking for ldd... /usr/bin/ldd
> checking for useradd... /usr/sbin/useradd
> checking for chown... /sbin/chown
> checking for chmod... /bin/chmod
> checking for dirname... /usr/bin/dirname
> checking for id... /usr/bin/id
> checking for pw... no
> checking for rm... /bin/rm
> checking for pwd_mkdb... /usr/sbin/pwd_mkdb
> configure: enabling WinSCP compatability...
> checking for pwd... /bin/pwd
> checking for groups... /usr/bin/groups
> checking for id... /usr/bin/id
> checking for echo... /bin/echo
> configure: enabling SFTP compatability...
> checking for sftp-server... /usr/libexec/sftp-server
> checking how to run the C preprocessor... gcc -E
> checking for egrep... grep -E
> checking for ANSI C header files... yes
> checking for sys/types.h... yes
> checking for sys/stat.h... yes
> checking for stdlib.h... yes
> checking for string.h... yes
> checking for memory.h... yes
> checking for strings.h... yes
> checking for inttypes.h... yes
> checking for stdint.h... yes
> checking for unistd.h... yes
> checking for stdlib.h... (cached) yes
> checking for string.h... (cached) yes
> checking syslog.h usability... yes
> checking syslog.h presence... yes
> checking for syslog.h... yes
> checking for unistd.h... (cached) yes
> checking wordexp.h usability... no
> checking wordexp.h presence... no
> checking for wordexp.h... no
> checking glob.h usability... yes
> checking glob.h presence... yes
> checking for glob.h... yes
> checking libgen.h usability... yes
> checking libgen.h presence... yes
> checking for libgen.h... yes
> checking getopt.h usability... yes
> checking getopt.h presence... yes
> checking for getopt.h... yes
> checking for an ANSI C-conforming const... yes
> checking for inline... inline
> checking for working alloca.h... no
> checking for alloca... yes
> checking for malloc... yes
> checking for atexit... yes
> checking for bzero... yes
> checking for strchr... yes
> checking for strerror... yes
> checking for glob... yes
> checking for wordexp... no
> checking for strspn... yes
> checking for basename... yes
> checking for getopt... yes
> checking whether optreset is declared... yes
> configure: creating ./config.status
> config.status: creating Makefile
> config.status: creating setup_chroot.sh
> config.status: creating config.h
> config.status: config.h is unchanged
> bash-3.1#
> bash-3.1#
> bash-3.1#
> bash-3.1# make
> gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/etc/scponly/debuglevel"' -o scponly.o -c scponly.c
> gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/etc/scponly/debuglevel"' -o helper.o -c helper.c
> gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/etc/scponly/debuglevel"' -o scponly scponly.o helper.o
> scponly.o(.text+0x1a7): In function `main':
> /usr/local/src/scponly/scponly-4.6/scponly.c:232: warning: strcpy() is almost always misused, please use strlcpy()
> gcc -g -O2 -I. -I. -DHAVE_CONFIG_H -DDEBUGFILE='"/usr/local/etc/scponly/debuglevel"' -o groups groups.c
> bash-3.1# make install
> echo "0" > debuglevel
> /usr/bin/install -c -d /usr/local/bin
> /usr/bin/install -c -d /usr/local/man/man8
> /usr/bin/install -c -d /usr/local/etc/scponly
> /usr/bin/install -c -o 0 -g 0 scponly /usr/local/bin/scponly
> /usr/bin/install -c -o 0 -g 0 -m 0644 scponly.8 /usr/local/man/man8/scponly.8
> /usr/bin/install -c -o 0 -g 0 -m 0644 debuglevel /usr/local/etc/scponly/debuglevel
> if test "xscponlyc" != "x"; then /usr/bin/install -c -d /usr/local/sbin; rm -f /usr/local/sbin/scponlyc; cp scponly scponlyc; /usr/bin/install -c -o 0 -g 0 -m 4755 scponlyc /usr/local/sbin/scponlyc; fi
> bash-3.1#
> bash-3.1#
> bash-3.1#
> bash-3.1# echo /usr/local/sbin/scponlyc >> /etc/shells
> bash-3.1#
> bash-3.1#
> bash-3.1#
> bash-3.1# make jail
> /usr/bin/install -c -d /usr/local/bin
> /usr/bin/install -c -d /usr/local/man/man8
> /usr/bin/install -c -d /usr/local/etc/scponly
> /usr/bin/install -c -o 0 -g 0 scponly /usr/local/bin/scponly
> /usr/bin/install -c -o 0 -g 0 -m 0644 scponly.8 /usr/local/man/man8/scponly.8
> /usr/bin/install -c -o 0 -g 0 -m 0644 debuglevel /usr/local/etc/scponly/debuglevel
> if test "xscponlyc" != "x"; then /usr/bin/install -c -d /usr/local/sbin; rm -f /usr/local/sbin/scponlyc; cp scponly scponlyc; /usr/bin/install -c -o 0 -g 0 -m 4755 scponlyc /usr/local/sbin/scponlyc; fi
> chmod u+x ./setup_chroot.sh
> ./setup_chroot.sh
>
> Next we need to set the home directory for this scponly user.
> please note that the user's home directory MUST NOT be writeable
> by the scponly user. this is important so that the scponly user
> cannot subvert the .ssh configuration parameters.
>
> for this reason, a writeable subdirectory will be created that
> the scponly user can write into.
>
> Username to install [scponly]
> home directory you wish to set for this user [/home/scponly]
> name of the writeable subdirectory [incoming]
> install: 0: No such file or directory
> install: 1: No such file or directory
> install: Ref: No such file or directory
>
> creating /home/scponly/incoming directory for uploading files
> please set the password for scponly:
> Changing local password for scponly.
> New password:
> Retype new password:
> if you experience a warning with winscp regarding groups, please install
> the provided hacked out fake groups program into your chroot, like so:
> cp groups /home/scponly/bin/groups
> bash-3.1#
> bash-3.1#
> bash-3.1# cp groups /home/scponly/bin/groups
> -----snip-----
>
> Here is /var/log/messages showing the user being added:
>
> -----snip-----
> Aug 18 15:15:12 web useradd[8460]: new user added: name=scponly, uid=1002, gid=10, home=/home/scponly, shell=/usr/local/sbin/scponlyc
> -----snip-----
>
> Now the WinSCP log showing the attempted login:
>
> -----snip-----
> . 2006-08-18 15:28:09.195 --------------------------------------------------------------------------
> . 2006-08-18 15:28:09.195 WinSCP Version 3.8.2 (Build 330) (OS 5.1.2600 Service Pack 2)
> . 2006-08-18 15:28:09.195 Login time: Friday, August 18, 2006 3:28:09 PM
> . 2006-08-18 15:28:09.195 --------------------------------------------------------------------------
> . 2006-08-18 15:28:09.195 Session name: scponly at 10.1.1.14
> . 2006-08-18 15:28:09.195 Host name: 10.1.1.14 (Port: 22)
> . 2006-08-18 15:28:09.195 User name: scponly (Password: Yes, Key file: No)
> . 2006-08-18 15:28:09.195 Transfer Protocol: SFTP
> . 2006-08-18 15:28:09.195 SSH protocol version: 2; Compression: No
> . 2006-08-18 15:28:09.195 Agent forwarding: No; TIS/CryptoCard: No; KI: Yes; GSSAPI: No
> . 2006-08-18 15:28:09.195 Ciphers: aes,blowfish,3des,WARN,des; Ssh2DES: No
> . 2006-08-18 15:28:09.195 Ping type: -, Ping interval: 30 sec; Timeout: 15 sec
> . 2006-08-18 15:28:09.195 SSH Bugs: -,-,-,-,-,-,-,-
> . 2006-08-18 15:28:09.195 SFTP Bugs: -,-,-
> . 2006-08-18 15:28:09.195 Proxy: none
> . 2006-08-18 15:28:09.195 Return code variable: Autodetect; Lookup user groups: Yes
> . 2006-08-18 15:28:09.195 Shell: default, EOL: 0
> . 2006-08-18 15:28:09.195 Local directory: default, Remote directory: home, Update: No, Cache: Yes
> . 2006-08-18 15:28:09.195 Cache directory changes: Yes, Permanent: Yes
> . 2006-08-18 15:28:09.195 Clear aliases: Yes, Unset nat.vars: Yes, Resolve symlinks: Yes
> . 2006-08-18 15:28:09.195 Alias LS: No, Ign LS warn: Yes, Scp1 Comp: No
> . 2006-08-18 15:28:09.195 --------------------------------------------------------------------------
> . 2006-08-18 15:28:09.195 Looking up host "10.1.1.14"
> . 2006-08-18 15:28:09.195 Connecting to 10.1.1.14 port 22
> . 2006-08-18 15:28:09.258 Waiting for the server to continue with the initialisation
> . 2006-08-18 15:28:09.258 Looking for incoming data
> . 2006-08-18 15:28:09.273 Select result is 1
> . 2006-08-18 15:28:09.273 Server version: SSH-1.99-OpenSSH_4.3
> . 2006-08-18 15:28:09.273 We claim version: SSH-2.0-WinSCP_release_3.8.2
> . 2006-08-18 15:28:09.273 Using SSH protocol version 2
> . 2006-08-18 15:28:09.273 Waiting for the server to continue with the initialisation
> . 2006-08-18 15:28:09.273 Looking for incoming data
> . 2006-08-18 15:28:09.273 Select result is 1
> . 2006-08-18 15:28:09.273 Doing Diffie-Hellman group exchange
> . 2006-08-18 15:28:09.273 Waiting for the server to continue with the initialisation
> . 2006-08-18 15:28:09.273 Looking for incoming data
> . 2006-08-18 15:28:09.476 Select result is 1
> . 2006-08-18 15:28:09.476 Doing Diffie-Hellman key exchange
> . 2006-08-18 15:28:09.617 Waiting for the server to continue with the initialisation
> . 2006-08-18 15:28:09.617 Looking for incoming data
> . 2006-08-18 15:28:09.679 Select result is 1
> . 2006-08-18 15:28:09.836 Host key fingerprint is:
> . 2006-08-18 15:28:09.836 ssh-rsa 2048 fc:e0:f4:08:c2:7e:91:24:fc:16:0d:e0:e7:a5:63:0b
> . 2006-08-18 15:28:09.836 Initialised AES-256 client->server encryption
> . 2006-08-18 15:28:09.836 Initialised HMAC-SHA1 client->server MAC algorithm
> . 2006-08-18 15:28:09.836 Initialised AES-256 server->client encryption
> . 2006-08-18 15:28:09.836 Initialised HMAC-SHA1 server->client MAC algorithm
> . 2006-08-18 15:28:09.836 Waiting for the server to continue with the initialisation
> . 2006-08-18 15:28:09.836 Looking for incoming data
> . 2006-08-18 15:28:10.039 Select result is 1
> ! 2006-08-18 15:28:10.039 Using username "scponly".
> . 2006-08-18 15:28:10.039 Waiting for the server to continue with the initialisation
> . 2006-08-18 15:28:10.039 Looking for incoming data
> . 2006-08-18 15:28:10.039 Select result is 1
> . 2006-08-18 15:28:10.039 Waiting for the server to continue with the initialisation
> . 2006-08-18 15:28:10.039 Looking for incoming data
> . 2006-08-18 15:28:10.039 Select result is 1
> . 2006-08-18 15:28:10.039 Keyboard-interactive authentication refused
> . 2006-08-18 15:28:10.039 Session password prompt (scponly at 10.1.1.14's password: )
> . 2006-08-18 15:28:10.039 Using stored password.
> ! 2006-08-18 15:28:10.054 Authenticating with pre-entered password.
> . 2006-08-18 15:28:10.054 Sent password
> . 2006-08-18 15:28:10.054 Waiting for the server to continue with the initialisation
> . 2006-08-18 15:28:10.054 Looking for incoming data
> . 2006-08-18 15:28:10.070 Select result is 1
> . 2006-08-18 15:28:10.070 Access granted
> . 2006-08-18 15:28:10.070 Waiting for the server to continue with the initialisation
> . 2006-08-18 15:28:10.070 Looking for incoming data
> . 2006-08-18 15:28:10.070 Select result is 1
> . 2006-08-18 15:28:10.070 Opened channel for session
> . 2006-08-18 15:28:10.070 Waiting for the server to continue with the initialisation
> . 2006-08-18 15:28:10.070 Looking for incoming data
> . 2006-08-18 15:28:10.070 Select result is 1
> . 2006-08-18 15:28:10.070 Started a shell/command
> . 2006-08-18 15:28:10.070 --------------------------------------------------------------------------
> . 2006-08-18 15:28:10.070 Using SFTP protocol.
> . 2006-08-18 15:28:10.070 Doing startup conversation with host.
>> 2006-08-18 15:28:10.070 Type: SSH_FXP_INIT, Size: 5, Number: -1
>> 2006-08-18 15:28:10.070 01,00,00,00,05,
> . 2006-08-18 15:28:10.070 Sent 9 bytes
> . 2006-08-18 15:28:10.070 There are 0 bytes remaining in the send buffer
> . 2006-08-18 15:28:10.070 Waiting for another 4 bytes
> . 2006-08-18 15:28:10.070 Looking for incoming data
> . 2006-08-18 15:28:10.070 Select result is 1
> . 2006-08-18 15:28:10.070 Server exited on signal "PIPE"
> . 2006-08-18 15:28:10.070 Waiting for another 4 bytes
> . 2006-08-18 15:28:10.070 Looking for incoming data
> . 2006-08-18 15:28:10.273 Select result is 1
> . 2006-08-18 15:28:10.273 All channels closed. Disconnecting
> . 2006-08-18 15:28:10.273 Server closed network connection
> . 2006-08-18 15:28:10.273 Waiting for another 4 bytes
> . 2006-08-18 15:28:10.273 Looking for incoming data
> * 2006-08-18 15:28:10.289 (ESshFatal) Cannot initialize SFTP protocol. Is the host running a SFTP server?
> * 2006-08-18 15:28:10.289 Connection has been unexpectedly closed. Server sent command exit status 0.
> -----snip-----
>
> And now /var/log/secure showing the attempted connection:
>
> -----snip-----
> Aug 18 19:28:10 web scponly[27691]: running: /usr/libexec/sftp-server (username: scponly(1002), IP/port: 10.1.1.111 2027 22)
> -----snip-----
>
> Nothing helpful there. Anyway, doesn't appear to be a WinSCP problem because an sftp connection from another BSD box fails:
>
> -----snip-----
> -bash-3.00$ sftp scponly at 10.1.1.14
> Connecting to 10.1.1.14...
> scponly at 10.1.1.14's password:
> Connection closed
> -bash-3.00$
> -----snip-----
>
> sftp is running, though, because an sftp connection with a normal user (bash shell) succeeds:
>
> -----snip-----
> -bash-3.00$ sftp josh at 10.1.1.14
> Connecting to 10.1.1.14...
> josh at 10.1.1.14's password:
> sftp> quit
> -bash-3.00$
> -----snip-----
>
> So, I decided to try checking the libraries. After some research, ran the following:
>
> -----snip-----
> bash-3.1# ldd /usr/local/sbin/scponlyc
> /usr/local/sbin/scponlyc:
> Start End Type Open Ref GrpRef Name
> 00000000 00000000 exe 1 0 0 /usr/local/sbin/scponlyc
> 0b794000 2b7c5000 rlib 0 1 0 /usr/lib/libc.so.39.0
> 01e10000 01e10000 rtld 0 1 0 /usr/libexec/ld.so
> bash-3.1#
> bash-3.1#
> bash-3.1#
> bash-3.1# cp /usr/lib/libc.so.39.0 /home/scponly/usr/lib/
> cp: /home/scponly/usr/lib/: No such file or directory
> bash-3.1#
> bash-3.1#
> bash-3.1#
> bash-3.1# mkdir /home/scponly/usr/lib
> bash-3.1# cp /usr/lib/libc.so.39.0 /home/scponly/usr/lib/
> bash-3.1#
> -----snip-----
>
> ld.so was already there, so no need to copy it. After copying libc.so.39.0, though, received the exact same error. Logs look exactly the same, so it appears that somthing else is breaking before the connection attempts to use the needed libraries.
>
> Any help would be greately appreciated.
>
> Josh
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
More information about the scponly
mailing list