[scponly] Need help with chrooted scponly 4.6 on centos 5
Security Team
security at peakpeak.com
Thu Sep 13 18:38:04 EDT 2007
On 9/12/07 9:11 PM, "Kaleb Pederson" <kibab at icehouse.net> wrote:
> On Wednesday 12 September 2007, Security Team wrote:
>> In /etc/ssh/sshd_config I have:
>>
>> Subsystem sftp /usr/local/sbin/scponlyc
>
> You don't want this, this should be left at the default for your distro,
> whatever that was.
>
> This is a different way of having the ssh server invoke a specific command,
> instead of the sftp-server.
>
>> And finally, I built scponly with these options (here is my build script):
>> --------
>> tar xvfz scponly-4.6.tgz
>> cd scponly-4.6
>>
>> ./configure -enable-chrooted-binary --enable-sftp-logging-compat
>> --enable-rsync-compat \
>> --enable-scp-compat --enable-quota-compat --disable-chroot-checkdir
>
> Unless you have the sftp-logging patch... you don't want this. You still get
> logging, but not of the sftp-logging patch type.
>
>> Sep 12 08:32:57 teton1 scponly[18677]: 3 arguments in total.
>> Sep 12 08:32:57 teton1 scponly[18677]: arg 0 is scponlyc
>> Sep 12 08:32:57 teton1 scponly[18677]: arg 1 is -c
>> Sep 12 08:32:57 teton1 scponly[18677]: arg 2 is /usr/local/sbin/scponlyc
>
> arg 2 comes from the subsystem command that you specified... which is why
> scponly is rejecting it.
>
> If everything else in the chroot is ok, then it should work after you make
> those changes.
>
> --Kaleb
Hello Kaleb:
After taking that Subsystem line out, I get this when an SFTP client tries
to connect:
Sep 13 16:34:42 teton1 scponly[28554]: chrooting to dir: "/home/userguy"
Sep 13 16:34:42 teton1 scponly[28554]: chdiring to dir: "/"
Sep 13 22:34:42 teton1 scponly[28554]: setting uid to 816
Sep 13 22:34:42 teton1 scponly[28554]: processing request:
"/usr/libexec/openssh/sftp-server"
Sep 13 22:34:42 teton1 scponly[28554]: Unable to find "LOG_SFTP" in the
environment
Sep 13 22:34:42 teton1 scponly[28554]: Found "USER" and setting it to "
userguy"
Sep 13 22:34:42 teton1 scponly[28554]: Unable to find "SFTP_UMASK" in the
environment
Sep 13 22:34:42 teton1 scponly[28554]: Unable to find "SFTP_PERMIT_CHMOD" in
the environment
Sep 13 22:34:42 teton1 scponly[28554]: Unable to find "SFTP_PERMIT_CHOWN" in
the environment
Sep 13 22:34:42 teton1 scponly[28554]: Unable to find "SFTP_LOG_LEVEL" in
the environment
Sep 13 22:34:42 teton1 scponly[28554]: Unable to find "SFTP_LOG_FACILITY" in
the environment
Sep 13 22:34:42 teton1 scponly[28554]: Environment contains "USER= userguy"
Sep 13 22:34:42 teton1 scponly[28554]: running:
/usr/libexec/openssh/sftp-server (username: userguy(816), IP/port:
192.168.0.3 49268 22)
Sep 13 16:34:45 teton1 sshd[28551]: pam_unix(sshd:session): session closed
for user userguy
In that 4th line above, it sure seems like it wants to talk to something in
scponly because it is called sftp-server now and getting lots of unable to
find messages.
Did I misunderstand your instructions? I just changed the sshd_config file
to be:
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
#Subsystem sftp /usr/local/sbin/scponlyc
And restarted sshd
Regards,
Chris
More information about the scponly
mailing list