[scponly] installation of scponly on RHEL 3

Kyong Kim kimkyong at fhda.edu
Tue Mar 7 16:38:09 EST 2006


Paul,
I checked the ssh log and the login is being accepted.

I enabled the debugging flag and seeing the following in the secure log file-

Mar  7 13:30:00 localhost sshd[19685]: Accepted password for user 
from ::ffff:xxx.xxx.xxx.xxx port 1993
Mar  7 13:30:00 localhost scponly[19688]: chrooted binary in place, 
will chroot()
Mar  7 13:30:00 localhost scponly[19688]: 3 arguments in total.
Mar  7 13:30:00 localhost scponly[19688]:       arg 0 is scponlyc
Mar  7 13:30:00 localhost scponly[19688]:       arg 1 is -c
Mar  7 13:30:00 localhost scponly[19688]:       arg 2 is scp -t 
/home/user/incoming
Mar  7 13:30:00 localhost scponly[19688]: opened log at LOG_AUTHPRIV, 
opts 0x00000009
Mar  7 13:30:00 localhost scponly[19688]: retrieved home directory of 
"/home/user" for user "user"
Mar  7 13:30:00 localhost scponly[19688]: chrooting to dir: "/home/user"
Mar  7 13:30:00 localhost scponly[19688]: chdiring to dir: "/"
Mar  7 21:30:00 localhost scponly[19688]: setting uid to 511
Mar  7 21:30:00 localhost scponly[19688]: processing request: "scp -t 
/home/user/incoming"
Mar  7 21:30:00 localhost scponly[19688]: denied request: scp -t 
/home/user/incoming [username: user(511), IP/port: 
::ffff:xxx.xxx.xxx.xxx 1993 22]

I'm not sure what to make of the denied request message.
Thank you in advance.
Kyong



At 11:55 AM -0700 3/7/06, Paul Hyder wrote:
>If you change the value in /usr/local/etc/scponly/debuglevel from zero
>to 1 scponly will syslog trace messages.  You should also check any ssh
>logging to make sure that the user is being permitted by ssh.
>     Paul Hyder
>     NOAA Earth System Research Laboratory, Global Systems Division
>     Boulder, CO
>
>Kyong Kim wrote:
>>  Hi guys,
>>  I'm new to scponly and have been having some trouble getting it to work.
>>  I looked through the archives but could not find anything so I was
>>  hoping someone could help me out..
>>
>>  I downloaded scponly-4.6.tgz for use on RHEL 3.
>>
>>  I configured it with only the following option --enable-chrooted-binary
>>  checking build system type... x86_64-unknown-linux-gnu
>>  checking host system type... x86_64-unknown-linux-gnu
>>  checking for gcc... gcc
>>  checking for C compiler default output file name... a.out
>>  checking whether the C compiler works... yes
>>  checking whether we are cross compiling... no
>>  checking for suffix of executables...
>>  checking for suffix of object files... o
>>  checking whether we are using the GNU C compiler... yes
>>  checking whether gcc accepts -g... yes
>>  checking for gcc option to accept ANSI C... none needed
>>  checking for a BSD-compatible install... /usr/bin/install -c
>>  checking whether ln -s works... yes
>>  checking for cut... /bin/cut
>>  checking for grep... /bin/grep
>>  checking for sort... /bin/sort
>>  checking for ldd... /usr/bin/ldd
>>  checking for useradd... no
>>  checking for chown... /bin/chown
>>  checking for chmod... /bin/chmod
>>  checking for dirname... /usr/bin/dirname
>>  checking for id... /usr/bin/id
>>  checking for pw... /usr/bin/pw
>>  checking for rm... /bin/rm
>>  checking for pwd_mkdb... no
>>  configure: enabling WinSCP compatability...
>>  checking for pwd... /bin/pwd
>>  checking for groups... /usr/bin/groups
>>  checking for id... /usr/bin/id
>>  checking for echo... /bin/echo
>>  configure: enabling SFTP compatability...
>>  checking for sftp-server... /usr/libexec/openssh/sftp-server
>>  checking how to run the C preprocessor... gcc -E
>>  checking for egrep... grep -E
>>  checking for ANSI C header files... yes
>>  checking for sys/types.h... yes
>>  checking for sys/stat.h... yes
>>  checking for stdlib.h... yes
>>  checking for string.h... yes
>>  checking for memory.h... yes
>>  checking for strings.h... yes
>>  checking for inttypes.h... yes
>>  checking for stdint.h... yes
>>  checking for unistd.h... yes
>>  checking for stdlib.h... (cached) yes
>>  checking for string.h... (cached) yes
>>  checking syslog.h usability... yes
>>  checking syslog.h presence... yes
>>  checking for syslog.h... yes
>  > checking for unistd.h... (cached) yes
>>  checking wordexp.h usability... yes
>>  checking wordexp.h presence... yes
>>  checking for wordexp.h... yes
>>  checking glob.h usability... yes
>>  checking glob.h presence... yes
>>  checking for glob.h... yes
>>  checking libgen.h usability... yes
>>  checking libgen.h presence... yes
>>  checking for libgen.h... yes
>>  checking getopt.h usability... yes
>>  checking getopt.h presence... yes
>>  checking for getopt.h... yes
>>  checking for an ANSI C-conforming const... yes
>>  checking for inline... inline
>>  checking for working alloca.h... yes
>>  checking for alloca... yes
>>  checking for malloc... yes
>>  checking for atexit... yes
>>  checking for bzero... yes
>>  checking for strchr... yes
>>  checking for strerror... yes
>>  checking for glob... yes
>>  checking for wordexp... yes
>>  checking for strspn... yes
>>  checking for basename... yes
>>  checking for getopt... yes
>>  checking whether optreset is declared... no
>>  configure: creating ./config.status
>>  config.status: creating Makefile
>>  config.status: creating setup_chroot.sh
>>  config.status: creating config.h
>>  config.status: config.h is unchanged
>>
>>  When I ran make install, I get the following output-
>>
>>  /usr/bin/install -c -d /usr/local/bin
>>  /usr/bin/install -c -d /usr/local/man/man8
>>  /usr/bin/install -c -d /usr/local/etc/scponly
>>  /usr/bin/install -c -o 0 -g 0 scponly /usr/local/bin/scponly
>>  /usr/bin/install -c -o 0 -g 0 -m 0644 scponly.8
>>  /usr/local/man/man8/scponly.8
>>  /usr/bin/install -c -o 0 -g 0 -m 0644 debuglevel
>>  /usr/local/etc/scponly/debuglevel
>>  if test "xscponlyc" != "x"; then                        \
>>          /usr/bin/install -c -d /usr/local/sbin;                         \
>>          rm -f /usr/local/sbin/scponlyc;                 \
>>          cp scponly scponlyc;                            \
>>          /usr/bin/install -c -o 0 -g 0 -m 4755 scponlyc
>>  /usr/local/sbin/scponlyc;        \
>>  fi
>>
>>
>>  I verified that scponlyc is installed in /usr/local/bin directory.
>>
>>  I used setup_chroot.sh to create users and everything ran okay.
>>  But each time I try to use pscp to upload a small text file, I get the
>>  following error.
>>
>>  Fatal: Connection Lost
>>
>>  I tried to use setup_chroot.sh.rh9 in build_extras directory but I get
>>  the following error-
>>
>>  your scponly build is not configured for chrooted operation.
>>  please reconfigure as follows, then rebuild and reinstall:
>>
>>  ./configure --enable-chrooted-binary (... other options)
>>
>>  Has anyone else encountered this problem and able to resolve it?
>>  I'm not sure whether the problem is with the build or setup_chroot.sh.
>>
>>  Thank you in advance for any help.
>>  Kyong
>>
>>
>>
>>
>>  _______________________________________________
>>  scponly mailing list
>>  scponly at lists.ccs.neu.edu
>>  https://lists.ccs.neu.edu/bin/listinfo/scponly




More information about the scponly mailing list