[scponly] Really struggling with Fedora Core 6

Andy Woolley andy at milonic.com
Mon Nov 26 07:56:34 EST 2007 

Hi Kaleb,

I finally figured this out, seems there was a problem with the user account.

Once I deleted and then re-created the user everything started to work.

Thanks for all your help with this.

Cheers,
Andy

----- Original Message ----- 
From: "Kaleb Pederson" <kaleb.pederson at gmail.com>
To: "Andy Woolley" <andy at milonic.com>
Cc: <scponly at lists.ccs.neu.edu>
Sent: Thursday, November 15, 2007 5:38 AM
Subject: Re: [scponly] Really struggling with Fedora Core 6


> On Wednesday 14 November 2007, Andy Woolley wrote:
>> Hi Kaleb,
>>
>> Thanks for helping me with this.
>>
>> Right, here's the situation: I used to use scponly version 4.0 and this
>> allowed me to create a jail where users could connect and navigate to via 
>> a
>> shell and SFTP and this was very easy to setup - but something has 
>> changed
>> in the latest version.
>
> There are quite a few changes, but none of the other versions should ever 
> have
> let anybody use ssh directly.  Can you provide more details?  What could
> somebody do before?  What would they see when they logged in?  What did 
> the
> debug logs look like for scponly-4.0?
>
> Perhaps the main difference is that 4.0 enabled scp access by default, 
> whereas
> in the newest versions it's disabled by default.  That's probably one of 
> the
> first thingns that I would try.
>
> I would try something like the following:
>
> ./configure --enable-chrooted-binary --with-sftp-server=/path/to/chroot --enable-scp-compat 
>  --enable-winscp-compat
>
>> No biggie though as the main facility we require is for users to login to
>> their own jail and upload/download files via SFTP using a client such as
>> WS_FTP Pro etc.
>
> Right now, scponly is running the sftp-server on your system, so the 
> problem
> is in the way that sftp is configured within the chroot, not with scponly.
>
> In your first e-mail, you posted the following:
>
>> [root at baba scponly-4.6]# grep "^exec" sftp.log*
>> sftp.log.8574:execve("/usr/local/sbin/scponlyc", ["scponlyc"..., "-c"...,
>> "/usr/libexec/openssh/sftp-server"], [/* 9 vars */]) = 0
>> sftp.log.8574:execve("/usr/libexec/openssh/sftp-server",
>> ["/usr/libexec/openssh/sftp-server"], [/* 0 vars */]) = 0
>
> But, in the set you provided, the sftp-server portion of the log is 
> missing:
>
> $ grep execv sftp.log.*
> sftp.log.12685:execve("/usr/local/sbin/scponlyc", ["-scponlyc"...], [/* 11
> vars */]) = 0
>
> It's the piece that contains the execve for sftp-server that we need to 
> look
> at.
>
>> Please see attached error log showing good authentication but dropping 
>> the
>> connection. This can be seen on lines 16 and 17 of the attached file.
>
> It basically says the same thing as the other logs, the sftp server is 
> being
> executed but not working correctly.
>
>> So,in summary if I can just get scponly to allow SFTP connections this
>> would be great., would be nice to have shell access but will understand 
>> if
>> this is not going to be possible like it was before.
>
> I think the shell access you're thinking about is the scp compatibility 
> that's
> currently disabled by default.
>
> --Kaleb

More information about the scponly mailing list