[scponly] scponly chroot OpenSUSE 10.2
Paul Hyder
Paul.Hyder at noaa.gov
Thu Jun 21 12:00:52 EDT 2007
Lots of related info in the mailing list archives. The two most likely problems
are an empty password file in the jail and the need for a /dev/null in the jail
(for some OS's). For example https://lists.ccs.neu.edu/pipermail/scponly/2007-February/001723.html
Paul Hyder
BTW: The log messages indicate that you also used --enable-sftp-logging-compat did you
use both that and --with-sftp-server?
Patrick wrote:
> Hello,
> i would like to use scponly 4.6 to chroot users in there homes on my OpenSUSE 10.2. The users connects with WinSCP.
>
> I got the error "Connection has been unexpectedly closed. Server sent command exit status 1." from WinSCP after giving the password to login." from WinSCP.
>
> With /usr/local/bin/scponly instead of /usr/local/sbin/scponlyc it's work fine.
>
> I compiled scponly with the following options
> ./configure --enable-scp-compat --enable-winscp-compat --enable-chrooted-binary --with-sftp-server
> and use "make jail" to create a user (fu2).
>
> All libraries here are in there appropriate directories in /home/fu2
>
> ldconfig -v -r /home/fu2/
> ldconfig: Can't stat /usr/X11R6/lib/Xaw3d: No such file
> ldconfig: Can't stat /usr/X11R6/lib: No such file or di
> ldconfig: Can't stat /usr/lib/Xaw3d: No such file or di
> ldconfig: Can't stat /usr/i386-suse-linux/lib: No such
> ldconfig: Can't stat /usr/local/lib: No such file or di
> ldconfig: Can't stat /opt/kde3/lib: No such file or dir
> ldconfig: Can't stat /opt/gnome/lib: No such file or di
> /lib:
> libutil.so.1 -> libutil.so.1
> libacl.so.1 -> libacl.so.1
> librt.so.1 -> librt.so.1
> libnss_compat.so.2 -> libnss_compat.so.2
> libc.so.6 -> libc.so.6
> ld-linux.so.2 -> ld-linux.so.2
> libresolv.so.2 -> libresolv.so.2
> libpthread.so.0 -> libpthread.so.0
> libdl.so.2 -> libdl.so.2
> libcom_err.so.2 -> libcom_err.so.2
> libz.so.1 -> libz.so.1
> libnsl.so.1 -> libnsl.so.1
> libattr.so.1 -> libattr.so.1
> libcrypt.so.1 -> libcrypt.so.1
> /usr/lib:
> libkrb5support.so.0 -> libkrb5support.so.0
> libopensc.so.2 -> libopensc.so.2
> libssl.so.0.9.8 -> libssl.so.0.9.8
> libscconf.so.2 -> libscconf.so.2
> libltdl.so.3 -> libltdl.so.3
> libopenct.so.1 -> libopenct.so.1
> libgssapi_krb5.so.2 -> libgssapi_krb5.so.2
> libkrb5.so.3 -> libkrb5.so.3
> libcrypto.so.0.9.8 -> libcrypto.so.0.9.8
> libpcsclite.so.1 -> libpcsclite.so.1
> libk5crypto.so.3 -> libk5crypto.so.3
>
>
> Here some hopefully usefull information after a connect from a Linux shell with "sftp fu2 at 192.168.3.129".
>
> /var/log/message
> sshd[14877]: subsystem request for sftp
> scponly[14878]: chrooted binary in place, will chroot()
> scponly[14878]: 3 arguments in total.
> scponly[14878]: arg 0 is scponlyc
> scponly[14878]: arg 1 is -c
> scponly[14878]: arg 2 is /usr/lib/ssh/sftp-server
> scponly[14878]: opened log at LOG_AUTHPRIV, opts 0x00000029
> scponly[14878]: retrieved home directory of "/home/fu2" for user "fu2"
> scponly[14878]: chrooting to dir: "/home/fu2"
> scponly[14878]: chdiring to dir: "/"
> scponly[14878]: setting uid to 1002
> scponly[14878]: processing request: "/usr/lib/ssh/sftp-server"
> scponly[14878]: Unable to find "LOG_SFTP" in the environment
> scponly[14878]: Found "USER" and setting it to "fu2"
> scponly[14878]: Unable to find "SFTP_UMASK" in the environment
> scponly[14878]: Unable to find "SFTP_PERMIT_CHMOD" in the environment
> scponly[14878]: Unable to find "SFTP_PERMIT_CHOWN" in the environment
> scponly[14878]: Unable to find "SFTP_LOG_LEVEL" in the environment
> scponly[14878]: Unable to find "SFTP_LOG_FACILITY" in the environment
> scponly[14878]: Environment contains "USER=fu2"
> scponly[14878]: running: /usr/lib/ssh/sftp-server (username: fu2(1002), IP/port: 192.168.3.129 8951 22)
>
>
> A strace shows following
>
> read(6, "\0\0\0\20", 4) = 4
> read(6, "4\0\0\0\1\0\0\0\7l3tag3m", 16) = 16
> write(4, "\0\0\0\f\6", 5) = 5
> write(4, "\0\0\0\7l3tag3m", 11) = 11
> write(6, "\0\0\0\0055", 5) = 5
> write(6, "\0\0\0\1", 4) = 4
> read(6, "\0\0\0\1", 4) = 4
> read(6, "2", 1) = 1
> read(4, "\0\0\0\27", 4) = 4
> read(4, "\0", 23) = 1
> read(4, "\0\0\0\2OK\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0", 22) = 22
> write(6, "\0\0\0\0213", 5) = 5
> --- SIGCHLD (Child exited) @ 0 (0) ---
> rt_sigaction(SIGCHLD, NULL, {0x800265f0, [], 0}, 8) = 0
> rt_sigaction(SIGCHLD, {SIG_DFL}, NULL, 8) = 0
> waitpid(14855, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], WNOHANG) = 14855
> sigreturn() = ? (mask now [])
> write(6, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 16) = 16
> read(6, "\0\0\0\5", 4) = 4
> read(6, "4\0\0\0\0", 5) = 5
> write(6, "\0\0\0\0055", 5) = 5
> write(6, "\0\0\0\0", 4) = 4
> read(6, "\0\0\0\1", 4) = 4
> read(6, "6", 1) = 1
> rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) = 0
> kill(14855, SIGTERM) = -1 ESRCH (No such process)
> close(4) = 0
> close(-1) = -1 EBADF (Bad file descriptor)
> write(6, "\0\0\0\0017", 5) = 5
> read(6, "\0\0\0\1", 4) = 4
> read(6, ".", 1) = 1
> write(6, "\0\0\0\t/", 5) = 5
> write(6, "\0\0\0\1\0\0\0\0", 8) = 8
> --- SIGCHLD (Child exited) @ 0 (0) ---
> rt_sigprocmask(SIG_BLOCK, [ALRM], [], 8) = 0
> time(NULL) = 1182347722
> open("/etc/localtime", O_RDONLY) = 4
> fstat64(4, {st_mode=S_IFREG|0644, st_size=837, ...}) = 0
> fstat64(4, {st_mode=S_IFREG|0644, st_size=837, ...}) = 0
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fae000
> read(4, "TZif\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\10"..., 4096) = 837
> close(4) = 0
> munmap(0xb7fae000, 4096) = 0
> stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=837, ...}) = 0
> stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=837, ...}) = 0
> stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=837, ...}) = 0
> socket(PF_FILE, SOCK_DGRAM, 0) = 4
> fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
> connect(4, {sa_family=AF_FILE, path="/dev/log"}, 110) = 0
> send(4, "<38>Jun 20 15:55:22 sshd[14850]:"..., 108, MSG_NOSIGNAL) = 108
> close(4) = 0
> rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
> read(6, "\0\0\4\340", 4) = 4
> read(6, "\30\0\0\0 \245\231\235\rsG\277\220a\313\342\210>\233\24"..., 1248) = 1248
> close(6) = 0
> mmap2(NULL, 1310720, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0) = 0xb776b000
> munmap(0xb7a8d000, 65536) = 0
> waitpid(14854, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 14854
> alarm(0) = 91
> rt_sigaction(SIGALRM, NULL, {0x80007d00, [], SA_INTERRUPT}, 8) = 0
> rt_sigaction(SIGALRM, {SIG_DFL}, NULL, 8) = 0
> close(5) = 0
> socketpair(PF_FILE, SOCK_STREAM, 0, [4, 5]) = 0
> fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
> fcntl64(5, F_SETFD, FD_CLOEXEC) = 0
> clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7adc708) = 14859
> close(4) = 0
> rt_sigaction(SIGHUP, NULL, {SIG_DFL}, 8) = 0
> rt_sigaction(SIGHUP, {0x8001f630, [], 0}, NULL, 8) = 0
> rt_sigaction(SIGTERM, NULL, {SIG_DFL}, 8) = 0
> rt_sigaction(SIGTERM, {0x8001f630, [], 0}, NULL, 8) = 0
> read(5, "\0\0\0\1", 4) = 4
> read(5, ":", 1) = 1
> waitpid(14859, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0) = 14859
> --- SIGCHLD (Child exited) @ 0 (0) ---
> exit_group(0)
>
>
>
> Thanks in advance!
> Patrick
>
>
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Sie sind Spam leid? Yahoo! Mail verfügt über einen herausragenden Schutz gegen Massenmails.
> http://mail.yahoo.com
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
More information about the scponly
mailing list