[scponly] logging control

Christopher Barry christopher.barry at qlogic.com
Wed Apr 1 18:58:08 EDT 2009 

> -----Original Message-----
> From: scponly-bounces at lists.ccs.neu.edu [mailto:scponly-
> bounces at lists.ccs.neu.edu] On Behalf Of Christopher Barry
> Sent: Wednesday, April 01, 2009 6:30 PM
> To: scponly at lists.ccs.neu.edu
> Subject: Re: [scponly] logging control
> 
> > -----Original Message-----
> > From: Kaleb Pederson [mailto:kaleb.pederson at gmail.com]
> > Sent: Wednesday, April 01, 2009 12:59 PM
> > To: Christopher Barry
> > Cc: scponly at lists.ccs.neu.edu
> > Subject: Re: [scponly] logging control
> >
> > On Wed, Apr 1, 2009 at 9:00 AM, Christopher Barry
> > <christopher.barry at qlogic.com> wrote:
> >
> > [...snip...]
> > > Anyone have a chance to chew on this? Are there some docs/posts
> I've
> > missed that I should read first?
> >
> > My response yesterday should reference enough documentation that you
> > can figure this out.
> 
> Man you overestimate me ;)
> 
> man sftp-server describes the two options, which I have tried.
> 
> > I created a suite of shell scripts for user, group, and chroot
> > management at a company I worked for about five years ago.  Overall,
> > it worked great and they're still using them.  I hope you end up with
> > something generically useful.
> >
> > Thanks.
> >
> > --Kaleb
> 
> Basically my approach too - hopefully it does work out.
> 
> Here's what's happening now:
> 
> I had tried the -l and -f options before in the subsystem, and it would
> not work with scponly. That's why I thought I needed the env vars set
> to something. If I set -l and -f, I can sftp normally as root no
> problem, and I see the enhanced logging. When I then try to connect as
> an sftp user, I get the error below.
> 
> Apr  1 17:58:27 <removed> sshd[6489]: Accepted publickey for se from
> 10.32.8.200 port 60160 ssh2
> Apr  1 17:58:27 <removed> sshd[6491]: pam_unix(sshd:session): session
> opened for user se by (uid=0)
> Apr  1 17:58:27 <removed> sshd[6491]: subsystem request for sftp
> Apr  1 17:58:27 <removed> scponly[6492]: chrooted binary in place, will
> chroot()
> Apr  1 17:58:27 <removed> scponly[6492]: 3 arguments in total.
> Apr  1 17:58:27 <removed> scponly[6492]: ^Iarg 0 is scponlyc
> Apr  1 17:58:27 <removed> scponly[6492]: ^Iarg 1 is -c
> Apr  1 17:58:27 <removed> scponly[6492]: ^Iarg 2 is
> /usr/lib/openssh/sftp-server -l INFO -f AUTH
> Apr  1 17:58:27 <removed> scponly[6492]: opened log at LOG_AUTHPRIV,
> opts 0x00000029
> Apr  1 17:58:27 <removed> scponly[6492]: retrieved home directory of
> "/var/sftp/chroot_partners/se//home/se" for user "se"
> Apr  1 17:58:27 <removed> scponly[6492]: chrooting to dir:
> "/var/sftp/chroot_partners/se"
> Apr  1 17:58:27 <removed> scponly[6492]: chdiring to dir: "/home/se"
> Apr  1 17:58:27 <removed> scponly[6492]: chdiring to dir: "/home/se"
> Apr  1 17:58:27 <removed> scponly[6492]: setting uid to 10000
> Apr  1 17:58:27 <removed> scponly[6492]: processing request:
> "/usr/lib/openssh/sftp-server -l INFO -f AUTH"
> Apr  1 17:58:27 <removed> scponly[6492]: denied request:
> /usr/lib/openssh/sftp-server -l INFO -f AUTH (resolved to:
> /usr/lib/sftp-server -l INFO -f A
> UTH) [username: se(10000), IP/port: 10.32.8.200 60160 22]
> Apr  1 17:58:27 <removed> sshd[6491]: pam_unix(sshd:session): session
> closed for user se
> 
> 
> I'm running ssh4.7 in Ubuntu 8.10. /usr/lib/openssh/sftp-server is the
> binary, and is a symlink to it. Is there a transition as it chroots,
> and the paths may be incorrect?
> 
> [UPDATE] I investigated this before sending this email. I created a
> /usr/lib/openssh dir in the chroot, and copied sftp-server there. Same
> issue (denied request). Everything works fine for scponly if I remove
> the -l and -f options from sshd_config. 'who' is denying the request
> here? sshd, sftp-server or scponly?
> 
> Any ideas?
> 
> Thanks,
> 
> -C

here's the code snippet from scponly.c (ver4.6) that's triggering the error.
	/*
	 *	reaching this point in the code means the request isnt one of
	 *	our accepted commands
 	 */
	if (debuglevel)
	{
		if (exact_match(flat_request,tmprequest))
			syslog (LOG_ERR, "denied request: %s [%s]", tmprequest, logstamp());
		else
			syslog (LOG_ERR, "denied request: %s (resolved to: %s) [%s]", tmprequest, flat_request, logstamp());
	}
	free(flat_request);

This is reproducible using filezilla in windows and Linux, and WinSCP in windows.

I built it with:
--enable-winscp-compat
--enable-sftp-logging-compat
--enable-scp-compat
--enable-rsync-compat
--enable-chrooted-binary

Could it be my build options or something?

-C

More information about the scponly mailing list