[scponly] scponly okay,
scponlyc doesn't work and it gives no information
Andrew Robinson
andrew.rw.robinson at gmail.com
Fri Mar 24 01:48:23 EST 2006
Environment:
Slackware 10.1
scponly 4.6
SSH with public/private key authentication only
Steps:
extracted scponly
ran with:
--enable-scp-compat
--enable-rsync-compat
--enable-chrooted-binary
--enable-svn-compat
--enable-passwd-compat
--enable-quota-compat
--enable-sftp-logging-compat
--enable-winscp-compat
--with-sftp-server
ran make & make install
Ran setup jail
user: testuser
home: /home/testuser
...
created "web" directory in testuser an owned by him
validated all ldd (everything fine, the only wierd one is the normal
linux "linux-gate.so.1 => (0xffffe000)" entry).
copied my .ssh directory to the test user's for testing
made testuser a member of my ssh group (have that locked down)
set debug level to 1 instead of 0
use case:
testuser:x:1013:100::/home/testuser:/usr/local/bin/scponly
sftp with this works, but it is pretty useless for what I wanted. May
as well use bash
testuser:x:1013:100::/home/testuser:/usr/local/sbin/scponlyc
sftp fails:
C:\PuTTY>psftp testuser at ssh.bethanyefree.org
Using username "testuser".
Fatal: unable to initialise SFTP: could not connect
On the server my /var/log/secure shows:
Mar 23 23:25:34 bserver scponly[29713]: chrooted binary in place, will chroot()
Mar 23 23:25:34 bserver scponly[29713]: 3 arguments in total.
Mar 23 23:25:34 bserver scponly[29713]: ^Iarg 0 is scponlyc
Mar 23 23:25:34 bserver scponly[29713]: ^Iarg 1 is -c
Mar 23 23:25:34 bserver scponly[29713]: ^Iarg 2 is /usr/libexec/sftp-server
Mar 23 23:25:34 bserver scponly[29713]: opened log at LOG_AUTHPRIV,
opts 0x00000009
Mar 23 23:25:34 bserver scponly[29713]: retrieved home directory of
"/home/testuser" for user "testuser"
Mar 23 23:25:34 bserver scponly[29713]: chrooting to dir: "/home/testuser"
Mar 23 23:25:34 bserver scponly[29713]: chdiring to dir: "/"
Mar 24 06:25:34 bserver scponly[29713]: setting uid to 1013
Mar 24 06:25:34 bserver scponly[29713]: processing request:
"/usr/libexec/sftp-server"
Mar 24 06:25:34 bserver scponly[29713]: Unable to find "LOG_SFTP" in
the environment
Mar 24 06:25:34 bserver scponly[29713]: Found "USER" and setting it to
"testuser"
Mar 24 06:25:34 bserver scponly[29713]: Unable to find "SFTP_UMASK" in
the environment
Mar 24 06:25:34 bserver scponly[29713]: Unable to find
"SFTP_PERMIT_CHMOD" in the environment
Mar 24 06:25:34 bserver scponly[29713]: Unable to find
"SFTP_PERMIT_CHOWN" in the environment
Mar 24 06:25:34 bserver scponly[29713]: Unable to find
"SFTP_LOG_LEVEL" in the environment
Mar 24 06:25:34 bserver scponly[29713]: Unable to find
"SFTP_LOG_FACILITY" in the environment
Mar 24 06:25:34 bserver scponly[29713]: Environment contains "USER=testuser"
Mar 24 06:25:34 bserver scponly[29713]: running:
/usr/libexec/sftp-server (username: testuser(1013), IP/port: xxxxxxxxx
4161 22)
Changed passwd to:
testuser:x:1013:100::/home/testuser//web:/usr/local/sbin/scponlyc
C:\PuTTY>psftp testuser at ssh.bethanyefree.org
Using username "testuser".
Fatal: Server sent disconnect message
type 2 (SSH_DISCONNECT_PROTOCOL_ERROR):
"Too many authentication failures for testuser"
Nothing in /var/log/secure
I went through all the subjects in the archive and couldn't find anything.
Not sure where to go now.
My goal:
sftp access only outside the network
network neighborhood access inside the network using samba
users are limited to an apache directory that contains the "prod" and
"dev" folders for both our production and development virtual sites.
Not sure where to go from here as the log has no errors at all.
Thanks,
Andrew
More information about the scponly
mailing list