[scponly] scponly doesn't work after upgrade to lenny : SOLVED

Flo debianflo at gmx.at
Mon Oct 19 17:23:02 EDT 2009 

>>
>> But I still had problems with the sftp subsystem. Again I spent hours on
>> that and I still haven't found the error but research on the web gave me
>> a hint how to avoid this:
>>
>> I replaced in /etc/ssh/sshd_config
>>
>> Subsystem sftp /usr/lib/openssh/sftp-server
>>
>> with
>>
>> Subsystem sftp internal-sftp
>>
>> and now it's working.
> 
> "internal-sftp" makes sshd use a sftp server that requires no
> additional libraries when working with a chroot.  I've never seen it
> used independent of ChrootDirectory.  If all you need is sftp support,
> then I'd recommend using ChrootDirectory and internal-sftp in
> combination with ForceCommand.  If you need anything beyond that
> scponly is there to help.
> 

Thank you for the hint.

I tried the combination ChrootDirectory and ForceCommand interal-sftp 
and it worked. It's just simpler and so it's better if I only need sftp.

There is one thing I need for some of the accounts and that's port 
forwarding. Appearently it does not work with this setup.

Do I have to get back to scponly for these users?

>> My solution to this problem is that I wrote a tiny script and put it
>> into /etc/cron.weekly:
>>
>> vvvvvvvvvvvvvvvvvvvvvvvv
>>
>> #!/bin/sh
>>
>> for a in `grep scponlyc /etc/passwd | cut -d : -f 6`
>> do
>>        cd $a
>>        find bin -type f -exec cp -p /'{}' '{}' ';'
>>        find usr -type f -exec cp -p /'{}' '{}' ';'
>>        find lib -type f -exec cp -p /'{}' '{}' ';'
>> done
>>
>> ^^^^^^^^^^^^^^^^^^^^^^^^
> 
> If possible, use a program that is intelligent enough to take a look
> at the shared libraries in use by the commands and update them as
> well.  If the shared libraries aren't being updated, you're still
> likely to see something broken.  I have a simple script that works on
> Linux (or any system that has an identical ldd output format) that
> I've been using for this purpose, but there's other programs that will
> do the same thing, such as Jailkit.
> 

Hm, you are right: If names of shared libaries change they won't be 
copied into the jail by this script.

Can you send me your script?

I had a look into jailkit (or at least at some articles about it). Maybe 
I should dig into it to find the script for that.

Thanks for your help.

Flo

More information about the scponly mailing list