[scponly] trouble logging in to scponly v.4.8 user using sftp

Formal Disorder glm at cyborgspiders.com
Thu Apr 10 20:02:58 EDT 2008 

Hello all,

I am wondering where I went wrong. I have created an scponly user with
the following procedure. However, I am unable to login over sftp as the
new created 'make jail' user. I am  using OpenBSD 4.2 with Apache 1.3.9
in a chroot of /var/www

The following is an outline of my installation procedure.


 decompress scponly-4.8.tgz
 $ tar xzpvf scponly-4.8.tgz
 $ cd scponly-4.8
 3) I want the chroot version (user control) and I want verbose logging
(user monitoring) of each users actions.
 $ ./configure --enable-chrooted-binary --enable-sftp-logging-compat
 $ make
 $ sudo make install

 4) Edit /etc/shells adding the full chroot pathname to scponlyc
 full chroot pathname = /usr/local/sbin/scponlyc

 5) Add a user that is restricted to the scponlyc shell.
 # adduser
 Enter username []: scponlychroot
 Enter full name []: Scopi Onli
 Enter shell csh ksh nologin scponlyc sh [ksh]: scponlyc
 Uid [1001]:
 Login group scponlychroot [scponlychroot]:
 Login group is ``scponlychroot''. Invite scponlychroot into other
groups: guest no [no]:
 Login class authpf daemon default staff [default]:
 enter password: hardtoguess

 output =

 Name:        scponlychroot
 Password:    ****
 Fullname:    Scopi Onli
 Uid:         1001
 Gid:         1001 (scponlychroot)
 Groups:      scponlychroot
 Login Class: default
 HOME:        /home/scponlychroot
 Shell:       /usr/local/sbin/scponlyc
 OK? (y/n) [y]:

 6) Make the /home/scponlychroot folder read only
 # chmod 444 /home/scponlychroot

then I edited /var/www/conf/httpd.conf to include

UserDir /var/www/users
<Directory /users/*>
    AllowOverride FileInfo AuthConfig Limit
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    <Limit GET POST OPTIONS PROPFIND>
        Order allow,deny
        Allow from all
    </Limit>
    <Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
        Order deny,allow
        Deny from all
    </Limit>
</Directory>


$ cd scponly-4.8
$ sudo make jail

username: rebels
home directory you wish to set for this user [/home/rebels]
/var/www/users/rebels
name of the writeable subdirectory [incoming]


And then for good measure added the new user to the sftp Subsystem in
/etc/ssh/sshd_config

$ sudo vi /etc/ssh/sshd_config
# override default of no subsystems
Subsystem       sftp    /usr/libexec/sftp-server
AllowUsers rebels


The problem:

When I attempt to sftp rebels at ipaddress I get a prompt, enter the
passphrase and am immediately booted out. Message = connection closed.

Where did I go wrong? Please advise.

More information about the scponly mailing list