[scponly] changing passwords remotely over scponly .. what am I
doing wrong ?
Kaleb Pederson
kpederson at mail.ewu.edu
Tue Mar 7 14:41:51 EST 2006
Ok, there are a couple of things that are bothering me here. Apparently
we need to add an additional line or two of debug output to the source.
So, the passwd program is found correctly and is executed, but we don't
ever see it return (which I would like to see in debug output). So, I
can only assume that it executes correctly, and then dies.
One problem, you cannot change a password outside of a chroot if you are
chrooted. Thus, unless you setup some sort of sync between the password
and shadow files in the chroot and those outside of the chroot, you
won't be able to change the password as you expect. Also, are you sure
that all the necessary dependencies were correctly installed? Does ldd
show that everything is resolved?
The only way that I know to get around that, that I know of, is to
change the password before chrooting. I created a patch that did this
and submitted it quite a while ago. It has not yet made it into the
source, so I don't believe you will be able to do what you want while
using a chrooted binary.
I think that the --enable-passwd-compat flag and the
--enable-chrooted-binary flags need to be mutually exclusive, pending
the approval of the patch that I submitted a while ago.
I'll talk to Joe and others on the list about it and see if we can't get
it approved. Joe? Others?
I'll try to submit an updated patch this week for review.
Thanks.
--Kaleb
On 12:00 Tue 07 Mar , Ensel Sharon wrote:
>
>
> On Tue, 7 Mar 2006, Kaleb Pederson wrote:
>
> > The logging depends on how your syslog daemon is setup, but will
> > typically show up in /var/log/messages. As you have now turned on
> > debugging, there should be quite a bit more information available in the
> > logs.
> >
> > You should see something indicating how scponly was called, what command
> > is being issued, etc.
>
>
> Ok, after adding *.* /var/log/scponly to syslog, I got:
>
>
> Mar 7 08:51:23 hostname sshd[98862]: Accepted keyboard-interactive/pam
> for username from 10.10.10.7 port 56674 ssh2
> Mar 7 08:51:23 hostname scponly[98866]: chrooted binary in place, will
> chroot()
> Mar 7 08:51:23 hostname scponly[98866]: 3 arguments in total.
> Mar 7 08:51:23 hostname scponly[98866]: arg 0 is scponlyc
> Mar 7 08:51:23 hostname scponly[98866]: arg 1 is -c
> Mar 7 08:51:23 hostname scponly[98866]: arg 2 is passwd
> Mar 7 08:51:23 hostname scponly[98866]: opened log at LOG_AUTHPRIV, opts
> 0x00000009
> Mar 7 08:51:23 hostname scponly[98866]: retrieved home directory of
> "/usr/home" for user "username"
> Mar 7 08:51:23 hostname scponly[98866]: chrooting to dir: "/usr/home"
> Mar 7 08:51:23 hostname scponly[98866]: chdiring to dir: "/"
> Mar 7 08:51:23 hostname scponly[98866]: setting uid to username
> Mar 7 08:51:23 hostname scponly[98866]: processing request: "passwd"
> Mar 7 08:51:23 hostname scponly[98866]: Found "HOME" and setting it to
> "/usr/home"
> Mar 7 08:51:23 hostname scponly[98866]: Environment contains
> "HOME=/usr/home"
> Mar 7 08:51:23 hostname scponly[98866]: set HOME environment variable to
> / username: username(username), IP/port: 10.10.10.7 56674 22
> Mar 7 08:51:23 hostname scponly[98866]: running: /usr/bin/passwd
> (username: username(username), IP/port: 10.10.10.7 56674 22)
>
>
> So that's that ... what do you think of it ? Again, this was produced by
> running this on the remote system:
>
> # ssh -t username at hostname passwd
> Password:
> Changing local password for username
> Connection to hostname closed.
> #
>
>
> Is there perhaps a hash file, or other mechanism within the chroot that
> keeps track of all the binaries within the chroot, and simply copying in
> `passwd` is not sufficient ? Perhaps I need to somehow register the
> addition of the passwd binary in the chroot somehow ?
>
> thanks.
>
More information about the scponly
mailing list