[scponly] sftp not working, but scp does
Brian Davis
bridavis at comcast.net
Tue Nov 28 23:21:22 EST 2006
Hi Paul & list,
Permissions look OK to me:
-rwxr-xr-x 1 root root 54824 Nov 28 20:09 sftp-server
All the needed libs are in the chroot:
flagg ~ # ldd /raid/chroot/www/test/usr/lib/misc/sftp-server
libresolv.so.2 => /lib/libresolv.so.2 (0x54460000)
libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x54416000)
libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x5428e000)
libdl.so.2 => /lib/libdl.so.2 (0x5428a000)
libutil.so.1 => /lib/libutil.so.1 (0x54286000)
libz.so.1 => /lib/libz.so.1 (0x5426f000)
libnsl.so.1 => /lib/libnsl.so.1 (0x54259000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x5422b000)
libc.so.6 => /lib/libc.so.6 (0x5410b000)
/lib/ld-linux.so.2 (0x54476000)
/raid/chroot/www/test/lib:
total 1668
-rwxr-xr-x 1 root root 92164 Nov 28 20:09 ld-linux.so.2
-rwxr-xr-x 1 root root 1164276 Nov 28 20:09 libc.so.6
-rwxr-xr-x 1 root root 21876 Nov 28 20:09 libcrypt.so.1
-rwxr-xr-x 1 root root 9588 Nov 28 20:09 libdl.so.2
-rwxr-xr-x 1 root root 76444 Nov 28 20:09 libnsl.so.1
-rwxr-xr-x 1 root root 30328 Nov 28 20:09 libnss_compat-2.3.6.so
-rwxr-xr-x 1 root root 30328 Nov 28 20:09 libnss_compat.so.2
-rwxr-xr-x 1 root root 63644 Nov 28 20:09 libpthread.so.0
-rwxr-xr-x 1 root root 63104 Nov 28 20:09 libresolv.so.2
-rwxr-xr-x 1 root root 30536 Nov 28 20:09 librt.so.1
-rwxr-xr-x 1 root root 9588 Nov 28 20:09 libutil.so.1
-rwxr-xr-x 1 root root 87368 Nov 28 20:09 libz.so.1
/raid/chroot/www/test/usr/lib:
total 1880
drwxr-xr-x 3 root root 30 Nov 28 20:08 binutils
-rwxr-xr-x 1 root root 1587288 Nov 28 20:09 libcrypto.so.0.9.8
-rwxr-xr-x 1 root root 34144 Nov 28 20:09 libpopt.so.0
-rwxr-xr-x 1 root root 297420 Nov 28 20:09 libssl.so.0.9.8
drwxr-xr-x 2 root root 24 Nov 28 20:09 misc
OS is up-to-date Gentoo hardened stable:
flagg scponly # uname -a
Linux flagg 2.6.16-hardened-r11 #3 SMP Tue Nov 28 14:00:57 EST 2006 i686
Celeron (Mendocino) GenuineIntel GNU/Linux
configure options were:
--enable-scp-compat \
--enable-winscp-compat \
--enable-rsync-compat \
--enable-chrooted-binary \
At this point, I'm not which step to take next. Any (more) ideas would
be appreciated.
Thanks,
Brian
Paul Hyder wrote:
> This appears to be an incomplete jail configuration. Generally means there
> is a library that needs to be added for the sftp-server.
>
> 1. Verify the sftp-server permissions (/raid/chroot/www/test/usr/lib/misc/sftp-server)
>
> 2. Run ldd on the sftp-server binary and make sure all of the listed libraries
> are installed in the correct location for the jail. If they are all present
> run ldd on the libraries and make sure they don't need a missing library.
>
> Server OS and configure options?
> Paul Hyder
>
> Brian Davis wrote:
>
>> Here is the detailed debug, for scponly and sshd. Looks like I still
>> need to turn on more debugging somewhere. As a point of reference, SFTP
>> does work for non scponly users.
>>
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: subsystem: exec()
>> /usr/lib/misc/sftp-server
>> Nov 28 14:30:29 flagg scponly[3511]: chrooted binary in place, will chroot()
>> Nov 28 14:30:29 flagg scponly[3511]: 3 arguments in total.
>> Nov 28 14:30:29 flagg scponly[3511]: arg 0 is scponlyc
>> Nov 28 14:30:29 flagg scponly[3511]: arg 1 is -c
>> Nov 28 14:30:29 flagg scponly[3511]: arg 2 is /usr/lib/misc/sftp-server
>> Nov 28 14:30:29 flagg scponly[3511]: opened log at LOG_AUTHPRIV, opts
>> 0x00000009
>> Nov 28 14:30:29 flagg scponly[3511]: retrieved home directory of
>> "/raid/chroot/www/test//incoming" for user "test"
>> Nov 28 14:30:29 flagg scponly[3511]: chrooting to dir:
>> "/raid/chroot/www/test"
>> Nov 28 14:30:29 flagg scponly[3511]: chdiring to dir: "/incoming"
>> Nov 28 19:30:29 flagg scponly[3511]: setting uid to 1003
>> Nov 28 19:30:29 flagg scponly[3511]: processing request:
>> "/usr/lib/misc/sftp-server"
>> Nov 28 19:30:29 flagg scponly[3511]: running: /usr/lib/misc/sftp-server
>> (username: test(1003), IP/port: 16.4.18.22 3059 8364)
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: Received SIGCHLD.
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: session_by_pid: pid 3511
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: session_exit_message: session
>> 0 channel 0 pid 3511
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: session_exit_message: release
>> channel 0
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: session_by_channel: session 0
>> channel 0
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: session_close_by_channel:
>> channel 0 child 0
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: session_close: session 0 pid 0
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: channel 0: free:
>> server-session, nchannels 1
>> Nov 28 14:30:29 flagg sshd[3510]: Connection closed by 16.4.18.22
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: do_cleanup
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: PAM: cleanup
>> Nov 28 14:30:29 flagg sshd(pam_unix)[3510]: session closed for user test
>> Nov 28 14:30:29 flagg sshd[3510]: Closing connection to 16.4.18.22
>> Nov 28 14:30:29 flagg sshd[3510]: debug1: PAM: cleanup
>>
>> Thanks,
>> Brian
>>
>>
>> Paul Hyder wrote:
>>
>>> Sounds like the selected sftp server exits.
>>>
>>> Have you tried setting the debuglevel to 1? (default install puts this
>>> file in /usr/local/etc/scponly, change it from 0 to 1) The extended
>>> diagnostics should be useful.
>>>
>>> Would also help to know what options you used with configure and the
>>> server's operating system.
>>> Paul Hyder
>>> NOAA Earth System Research Laboratory, Global Systems Division
>>> Boulder, CO
>>>
>>>
>>> Brian Davis wrote:
>>>
>>>
>>>> Hi,
>>>>
>>>> I'm using WinSCP 3.8.2. The session default of "SFTP (allow SCP
>>>> fallback) is checked. When WinSCP tries to connect, if gives the
>>>> following error and immediately disconnects:
>>>>
>>>> "Cannot initalize SFTP protocol. Is the host running a SFTP server?
>>>> Connection has been unexpectedly closed. Server sent command exit status
>>>> 255."
>>>>
>>>> However, selecting SCP for the session seems to work fine. Here is my
>>>> auth.log when trying sftp:
>>>>
>>>> Nov 26 22:14:41 flagg sshd[20279]: Accepted keyboard-interactive/pam for
>>>> test from 192.168.1.103 port 3530 ssh2
>>>> Nov 26 22:14:41 flagg sshd(pam_unix)[13368]: session opened for user
>>>> test by (uid=0)
>>>> Nov 26 22:14:41 flagg sshd[13368]: subsystem request for sftp
>>>> Nov 27 03:14:41 flagg scponly[12982]: running: /usr/lib/misc/sftp-server
>>>> (username: test(1003), IP/port: 192.168.1.103 3530 7777)
>>>> Nov 26 22:14:41 flagg sshd(pam_unix)[13368]: session closed for user test
>>>>
>>>> Any ideas?
>>>>
>>>> Also, can the logging for scponly be configured to use local time rather
>>>> than GMT?
>>>>
>>>> Thanks!
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> scponly mailing list
>>>> scponly at lists.ccs.neu.edu
>>>> https://lists.ccs.neu.edu/bin/listinfo/scponly
>>>>
>>>>
>>>
>>>
>> _______________________________________________
>> scponly mailing list
>> scponly at lists.ccs.neu.edu
>> https://lists.ccs.neu.edu/bin/listinfo/scponly
>>
>
>
>
More information about the scponly
mailing list