[scponly] changing passwords remotely over scponly .. what am I doing wrong ?

Ensel Sharon user at dhp.com
Tue Mar 7 10:30:38 EST 2006 


On Mon, 6 Mar 2006, Kaleb Pederson wrote:

> The debuglevel file's location is based on what --prefix is set to when the 
> install is done.  I'm not sure what it would be set to on FreeBSD, so I can't 
> be of much help.  If you can grab the configure line that ports use, that 
> should tell you what it is set to.
> 
> Two common cases might be /usr/local/etc/scponly/debugelevel 
> and /opt/etc/scponly/debuglevel.
> 
> Since -t didn't help, we will probably need the extra debugging info to find 
> out.
> 
> Can you provide the configure line and the additional logging?


Ok, I found the default - /usr/local/etc/scponly, and I set it to '1'

# cat /usr/local/etc/scponly/debuglevel 
1
#


But I see no additional logging created.The only logging I get from my
action is in auth.log:

Mar  7 07:04:24 hostname sshd[98571]: Accepted keyboard-interactive/pam
for username from 10.10.10.10 port 52587 ssh2
Mar  7 07:04:24 hostname scponly[98575]: chrooted binary in place, will
chroot()
Mar  7 07:04:24 hostname scponly[98575]: running: /usr/bin/passwd
(username: username(1234), IP/port: 10.10.10.10 52587 22)


Well, I guess that second line "chrooted binary in place" is new.

The remote command I am running, and its results, are:

# ssh -t username at hostname passwd
Password:
Changing local password for username
Connection to hostname closed.
#


One other piece of information:  I was running 4.3, which I built
_without_ --enable-passwd-compat, then I got the 4.6 tarball, and added
that directive to my configure line, and then `make ; make
install`.  However, I did not want to muck around with my chroot
configuration again, so I _did not_ remake my jail after adding the passwd
directive and upgrading.  I simply copied /usr/bin/passwd and
/usr/lib/libpam.so.3 into the chroot.  That seemed to be all there was to
add to the chroot.

So that's my story - thanks for taking a look.

I guess I am curious as to where the debugging goes, or if that single
additional line is all the debugging there is, and I am curious as to
whether I need to add anything else to my chroot other than the passwd
binary and libpam.so.3 ...

More information about the scponly mailing list