[scponly] Suggested changes to documentation

Steve Brown sbrown25 at gmail.com
Wed Sep 26 08:13:17 EDT 2007


Hi-
I use scponly on many servers and I am very appreciative of the tool.
Thanks for your work!

I use scponly for chrooting SFTP users into specific environments.
Unfortunately, I don't create new jails very often, so I find myself
struggling with problems every time I create a new jail simply because
I don't do it very often.  I'm running Linux and there is no
post-install script for my platform, so this could be where my
problems lie, but after creating my most recent jail, I'd like to
suggest the following FAQs be added to the documentation for scponly.

If problems are encountered setting up a jail, I would first suggest
attempting to copy a file using scp.  IMHO, scp tends to be a bit more
verbose with error messages and provides more useful error messages
then sftp or ssh.

Next, admins need to make sure that all files needed by a binary exist
in the chroot environment.  This can be accomplished with the
following:

$ cd /path/to/jail
$ ldd path/to/binary [e.g. ldd usr/libexec/sftp-server]
        libcrypto.so.0.9.8 => /usr/local/lib/libcrypto.so.0.9.8
(0x00002b980ebda000)
        libutil.so.1 => /lib/libutil.so.1 (0x00002b980ef58000)
        libz.so.1 => /usr/local/lib/libz.so.1 (0x00002b980f15b000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x00002b980f371000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x00002b980f58a000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x00002b980f7be000)
        libc.so.6 => /lib/libc.so.6 (0x00002b980f9d3000)
        libdl.so.2 => /lib/libdl.so.2 (0x00002b980fd25000)
        /lib64/ld-linux-x86-64.so.2 (0x00002b980e9bd000)

Admins need to make sure that all the libraries listed above exist in
the jailed environment in the exact location listed above.  For
exmaple, libcrypto.so.0.9.8 needs to be in
/path/to/jail/usr/local/lib/libcrypto.so.0.9.8, not in /usr/local/lib
or /path/to/jail/usr/lib.

Next, admins need to be sure /path/to/jail/dev/null exists.  If it
doesn't, it can be created:

# mkdir -p /path/to/jail/dev
# mknod -m 666 /path/to/jail/dev/null c 1 3

Finally, user accounts need to be listed in /path/to/jail/etc/passwd.
Running "make jail" will only give the user created access to the
jail.  I frequently make this mistake when giving a new user access to
the same jail.  To create a new user with access to the same jail,
admins should first create the account correctly:

# useradd --shell /path/to/scponlyc --home /path/to/jail new_user

This will create the user on the system and add details to
/etc/passwd.  In order for the user to login to the jail, these
details also need to be added to /path/to/jail/etc/passwd.  This can
be accomplished with the following command:

# grep username: /etc/passwd >> /path/to/jail/etc/passwd

As I said, these are all things I have had to remind myself of in the
last few days.  If they help someone else start using scponly more
easily, that is what I'm after. :-)



More information about the scponly mailing list