[scponly] Troubles with scponly-4.8

Kaleb Pederson kaleb.pederson at gmail.com
Thu Oct 28 15:01:53 EDT 2010


Ok, we're getting closer.

Rerun ldconfig:

ldconfig -r /apps/home/garytest -v

See if it works.  If not, what does the syslog debug output say?  If it says something other than what it did before (i.e. file not found) then run strace again.

-- 
Kaleb Pederson

Blog - http://kalebpederson.com
Twitter - http://twitter.com/kalebpederson

On Thursday, October 28, 2010 11:56:01 am Gary Autiello wrote:
> 
> Ok, the output of the ldd /usr/libexec/openssh/sftp-server was:
> 
> [root at garytest139 gautiello]# ldd /usr/libexec/openssh/sftp-server
>         libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002b6056c3f000)
>         libutil.so.1 => /lib64/libutil.so.1 (0x00002b6056f90000)
>         libz.so.1 => /usr/lib64/libz.so.1 (0x00002b6057193000)
>         libnsl.so.1 => /lib64/libnsl.so.1 (0x00002b60573a8000)
>         libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002b60575c0000)
>         libresolv.so.2 => /lib64/libresolv.so.2 (0x00002b60577f8000)
>         libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2
> (0x00002b6057a0e000)
>         libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002b6057c3c000)
>         libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3
> (0x00002b6057ed1000)
>         libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002b60580f7000)
>         libnss3.so => /usr/lib64/libnss3.so (0x00002b60582f9000)
>         libc.so.6 => /lib64/libc.so.6 (0x00002b6058626000)
>         libdl.so.2 => /lib64/libdl.so.2 (0x00002b605897e000)
>         libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0
> (0x00002b6058b82000)
>         libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002b6058d8a000)
>         libnssutil3.so => /usr/lib64/libnssutil3.so (0x00002b6058f8d000)
>         libplc4.so => /usr/lib64/libplc4.so (0x00002b60591ab000)
>         libplds4.so => /usr/lib64/libplds4.so (0x00002b60593af000)
>         libnspr4.so => /usr/lib64/libnspr4.so (0x00002b60595b3000)
>         libpthread.so.0 => /lib64/libpthread.so.0 (0x00002b60597ee000)
>         /lib64/ld-linux-x86-64.so.2 (0x00002b6056a22000)
>         libselinux.so.1 => /lib64/libselinux.so.1 (0x00002b6059a09000)
>         libsepol.so.1 => /lib64/libsepol.so.1 (0x00002b6059c22000)
> 
> Your script did:
> 
> [root at garytest139
> gautiello]# ./cplibdeps /apps/home/garytest /usr/libexec/openssh/sftp-server
> Examining dependencies of /usr/libexec/openssh/sftp-server...
> Copying /usr/libexec/openssh/sftp-server
> => /apps/home/garytest//usr/libexec/openssh/sftp-server
> Copying /lib64/ld-2.5.so => /apps/home/garytest//lib64/ld-2.5.so
> Copying /lib64/libc-2.5.so => /apps/home/garytest//lib64/libc-2.5.so
> Copying /lib64/libcom_err.so.2.1
> => /apps/home/garytest//lib64/libcom_err.so.2.1
> Copying /lib64/libcrypt-2.5.so
> => /apps/home/garytest//lib64/libcrypt-2.5.so
> Copying /lib64/libcrypto.so.0.9.8e
> => /apps/home/garytest//lib64/libcrypto.so.0.9.8e
> Copying /lib64/libdl-2.5.so => /apps/home/garytest//lib64/libdl-2.5.so
> Copying /lib64/libkeyutils-1.2.so
> => /apps/home/garytest//lib64/libkeyutils-1.2.so
> Copying /lib64/libnsl-2.5.so => /apps/home/garytest//lib64/libnsl-2.5.so
> Copying /lib64/libpthread-2.5.so
> => /apps/home/garytest//lib64/libpthread-2.5.so
> Copying /lib64/libresolv-2.5.so
> => /apps/home/garytest//lib64/libresolv-2.5.so
> Copying /lib64/libselinux.so.1
> => /apps/home/garytest//lib64/libselinux.so.1
> Copying /lib64/libsepol.so.1 => /apps/home/garytest//lib64/libsepol.so.1
> Copying /lib64/libutil-2.5.so => /apps/home/garytest//lib64/libutil-2.5.so
> Copying /usr/lib64/libgssapi_krb5.so.2.2
> => /apps/home/garytest//usr/lib64/libgssapi_krb5.so.2.2
> Copying /usr/lib64/libk5crypto.so.3.1
> => /apps/home/garytest//usr/lib64/libk5crypto.so.3.1
> Copying /usr/lib64/libkrb5.so.3.3
> => /apps/home/garytest//usr/lib64/libkrb5.so.3.3
> Copying /usr/lib64/libkrb5support.so.0.1
> => /apps/home/garytest//usr/lib64/libkrb5support.so.0.1
> Copying /usr/lib64/libnspr4.so
> => /apps/home/garytest//usr/lib64/libnspr4.so
> Copying /usr/lib64/libnss3.so => /apps/home/garytest//usr/lib64/libnss3.so
> Copying /usr/lib64/libnssutil3.so
> => /apps/home/garytest//usr/lib64/libnssutil3.so
> Copying /usr/lib64/libplc4.so => /apps/home/garytest//usr/lib64/libplc4.so
> Copying /usr/lib64/libplds4.so
> => /apps/home/garytest//usr/lib64/libplds4.so
> Copying /usr/lib64/libz.so.1.2.3
> => /apps/home/garytest//usr/lib64/libz.so.1.2.3
> 
> Still not working... :-(
> ______________________________________
> Gary Autiello, Network +, MCITP
> Network Administrator
> Dominion Diagnostics, LLC
> x886, 401-667-0886
> 
> 
> 
> 
> 
> From:	Kaleb Pederson <kaleb.pederson at gmail.com>
> To:	Gary Autiello <gautiello at dominiondiagnostics.com>
> Cc:	scponly at lists.ccs.neu.edu
> Date:	10/28/2010 02:37 PM
> Subject:	Re: Troubles with scponly-4.8
> 
> 
> 
> From the strace log:
> 
> execve("/usr/libexec/openssh/sftp-server",
> ["/usr/libexec/openssh/sftp-server"], [/* 0 vars */]) = -1 ENOENT (No such
> file or directory)
> 
> As the executable exists this implies that it's missing a dependent
> library.
> 
> What does the following report: `ldd /usr/libexec/openssh/sftp-server`? All
> the libraries that it depends on should be present in your ldconfig output
> below.
> 
> My python script (attached) should detect all required libraries and add
> them to the chroot.  Here's the usage:
> 
> cplibdeps /path/to/chroot /path/to/exe1 [/path/to/exe2 ...]
> 
> In your case:
> 
> cplibdeps /apps/home/garytest /usr/libexec/openssh/sftp-server
> 
> --
> Kaleb Pederson
> 
> Blog - http://kalebpederson.com
> Twitter - http://twitter.com/kalebpederson
> 
> On Thursday, October 28, 2010 11:17:11 am Gary Autiello wrote:
> >
> > Hi Kaleb,
> >
> > Ok I was able to do items 1, 2, and 3 except for the temp shell as I'm
> not
> > sure how to get /bin/sash or /bin/dash setup.
> >
> > When I ran the ldconfig command I got the following:
> >
> > [root at garytest139 usr]# ldconfig -r /apps/home/garytest -v
> > ldconfig: Can't stat /usr/lib: No such file or directory
> > /lib:
> >         ld-linux.so.2 -> ld-linux.so.2
> >         libnss_compat.so.2 -> libnss_compat.so.2
> > /lib64:
> >         libresolv.so.2 -> libresolv.so.2
> >         libdl.so.2 -> libdl.so.2
> >         libsepol.so.1 -> libsepol.so.1
> >         libselinux.so.1 -> libselinux.so.1
> >         libcrypt.so.1 -> libcrypt.so.1
> >         libcom_err.so.2 -> libcom_err.so.2
> >         libpthread.so.0 -> libpthread.so.0
> >         libcrypto.so.6 -> libcrypto.so.6
> >         libc.so.6 -> libc.so.6
> >         libutil.so.1 -> libutil.so.1
> >         libnsl.so.1 -> libnsl.so.1
> >         libkeyutils.so.1 -> libkeyutils.so.1
> > /usr/lib64:
> >         libgssapi_krb5.so.2 -> libgssapi_krb5.so.2
> >         libz.so.1 -> libz.so.1
> >         libplds4.so -> libplds4.so
> >         libnspr4.so -> libnspr4.so
> >         libkrb5.so.3 -> libkrb5.so.3
> >         libplc4.so -> libplc4.so
> >         libnssutil3.so -> libnssutil3.so
> >         libk5crypto.so.3 -> libk5crypto.so.3
> >         libkrb5support.so.0 -> libkrb5support.so.0
> >         libnss3.so -> libnss3.so
> >
> > I'm assuming the fact that /usr/lib was not found, is a problem.  So, I
> > logged onto our old server and ran the same command for a comparison:
> >
> > [root at taurus home]# ldconfig -r /apps/home/13079/ -v
> > /lib:
> >         libcrypt.so.1 -> libcrypt.so.1
> >         libnss_compat.so.1 -> libnss_compat.so.1
> >         libutil.so.1 -> libutil.so.1
> >         libresolv.so.2 -> libresolv.so.2
> >         libattr.so.1 -> libattr.so.1
> >         ld-linux.so.2 -> ld-linux.so.2
> >         libcrypto.so.4 -> libcrypto.so.4
> >         libnss_compat.so.2 -> libnss_compat.so.2
> >         libselinux.so.1 -> libselinux.so.1
> >         libcom_err.so.2 -> libcom_err.so.2
> >         libnsl.so.1 -> libnsl.so.1
> >         libacl.so.1 -> libacl.so.1
> >         libdl.so.2 -> libdl.so.2
> > /usr/lib:
> >         libgssapi_krb5.so.2 -> libgssapi_krb5.so.2
> >         libz.so.1 -> libz.so.1
> >         libkrb5.so.3 -> libkrb5.so.3
> >         libk5crypto.so.3 -> libk5crypto.so.3
> > /lib/tls: (hwcap: 0x8000000000000000)
> >         libc.so.6 -> libc.so.6
> >         libpthread.so.0 -> libpthread.so.0
> >         librt.so.1 -> librt.so.1
> >
> > They are definitely WAY different as you can see.
> >
> > For the strace, I have attached the output of what I received.  There are
> > three files that it produced:  sftp.log.1777 should contain the PID for
> the
> > [priv] connection from the client side.
> >
> > (See attached file: sftp.log.1816)(See attached file: sftp.log.1777)(See
> > attached file: sftp.log.1815)
> > ______________________________________
> > Gary Autiello, Network +, MCITP
> > Network Administrator
> > Dominion Diagnostics, LLC
> > x886, 401-667-0886
> >
> >
> >
> >
> >
> > From:		 Kaleb Pederson <kaleb.pederson at gmail.com>
> > To:		 Gary Autiello <gautiello at dominiondiagnostics.com>
> > Cc:		 scponly at lists.ccs.neu.edu
> > Date:		 10/28/2010 01:58 PM
> > Subject:		 Re: Troubles with scponly-4.8
> >
> >
> >
> > Here's a few things to try in order of increasing complexity:
> >
> > 1) Set the debuglevel to 1
> > 2) run ldconfig -r /path/to/chroot -v and verify that no missing
> libraries
> > are found
> >
> > [Optionally -- if you have a shell with no dependencies you can install
> > temporarily]:
> > 2.a) copy /bin/sash or /bin/dash (a shell with no dependencies) into the
> > chroot, then chroot using 'chroot /path/to/chroot /bin/sash' and then
> > run /usr/libexec/openssh/sftp-server manually and see if it runs. Don't
> > forget to remove the shell when you're done.
> >
> > 3) Strace the program as illustrated here:
> >
> http://sublimation.org/scponly/wiki/index.php/FAQ#I_still_can.27t_find_my_problem.2C_what_else_can_I_try.3F
> 
> >
> >
> > #3 should provide plenty of information that will allow us to figure out
> > what's going, but it's a slightly cumbersome process.
> >
> > --
> > Kaleb Pederson
> >
> > Blog - http://kalebpederson.com
> > Twitter - http://twitter.com/kalebpederson
> >
> > On Thursday, October 28, 2010 10:44:16 am Gary Autiello wrote:
> > >
> > > Hey Kaleb,
> > >
> > > Thanks for your reply.
> > >
> > > The chroot-building script did copy over the sftp-server as you can see
> > in
> > > the screen shot below.  The chrooted environment for the user
> > > is /apps/home/garytest/:
> > >
> > >
> > > I will look for that python script, but if you have any more ideas,
> > please
> > > let me know.
> > >
> > > Thanks,
> > > ______________________________________
> > > Gary Autiello, Network +, MCITP
> > > Network Administrator
> > > Dominion Diagnostics, LLC
> > > x886, 401-667-0886
> > >
> > >
> > >
> > >
> > >
> > > From:		 		  Kaleb Pederson <kaleb.pederson at gmail.com>
> > > To:		 		  Gary Autiello
> <gautiello at dominiondiagnostics.com>
> > > Cc:		 		  scponly at lists.ccs.neu.edu
> > > Date:		 		  10/28/2010 01:39 PM
> > > Subject:		 		  Re: Troubles with scponly-4.8
> > >
> > >
> > >
> > > Gary,
> > >
> > > I'm CCing the list now that you're subscribed.
> > >
> > > The following is the culprit (or at least part of the problem):
> > >
> > > > Oct 28 17:15:09 garytest139 scponly[32425]:
> > > > failed: /usr/libexec/openssh/sftp-server -l INFO -f LOCAL6 with error
> > No
> > > > such file or directory(2) (username: garytest(813), IP/port:
> > 192.168.1.43
> > > > 49384 22)
> > >
> > > It looks as if the sftp-server wasn't copied into the chroot.  The
> > > chroot-building script isn't very powerful and has some problems. I'd
> > > actually recommend Jailkit (http://olivier.sessink.nl/jailkit/) for
> > > building the chroot.
> > >
> > > If not using Jailkit, once the basic chroot is setup and functional,
> > > there's a python script that I wrote that should be in the archives
> > > somewhere that you can use to add or update supporting libraries for
> > > whatever programs you want to copy into the chroot.
> > >
> > > Once you've copied over the sftp-server, please let me know if you run
> > into
> > > any problems.
> > >
> > > --Kaleb
> > >
> > > CONFIDENTIALITY NOTICE: This e-mail, including attachments,
> > > is for the sole use of the individual to whom it is addressed
> > > This message is confidential and may contain information that
> > > is privileged, confidential and is exempt from disclosure under
> > > applicable law. Any unauthorized review, use, disclosure or
> > > distribution is prohibited. If you have received this e-mail
> > > in error, please notify the sender by reply e-mail and destroy
> > > this message and its attachments
> > >
> > >
> >
> > CONFIDENTIALITY NOTICE: This e-mail, including attachments,
> > is for the sole use of the individual to whom it is addressed
> > This message is confidential and may contain information that
> > is privileged, confidential and is exempt from disclosure under
> > applicable law. Any unauthorized review, use, disclosure or
> > distribution is prohibited. If you have received this e-mail
> > in error, please notify the sender by reply e-mail and destroy
> > this message and its attachments
> >
> >
> [attachment "cplibdeps" deleted by Gary Autiello/domdiag]
> 
> CONFIDENTIALITY NOTICE: This e-mail, including attachments,
> is for the sole use of the individual to whom it is addressed
> This message is confidential and may contain information that
> is privileged, confidential and is exempt from disclosure under
> applicable law. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you have received this e-mail
> in error, please notify the sender by reply e-mail and destroy
> this message and its attachments
> 
> 



More information about the scponly mailing list