[scponly] scponly on AIX with IBMs patches to OpenSSH

Kaleb Pederson kaleb.pederson at gmail.com
Wed Oct 24 11:15:24 EDT 2012


Thanks for the report Doug. I bookmarked this last week but still haven't
had a chance to look at it.

One quick question that may make the problem obvious to me:

Do you have debuglevel set? i.e.: echo 1 >
$INSTALLDIR/etc/scponly/debuglevel

If not, can you set it, re-execute the command, and send me the output?

Thanks.

--Kaleb

On Fri, Oct 19, 2012 at 5:25 AM, Eckert, Doug <Doug.Eckert at dowjones.com>wrote:

>  Greetings,****
>
> ** **
>
> We also ran into this after applying the same update.  I found this thread,****
>
> downloaded the latest daily snapshot, and applied the patch below.  SFTP started****
>
> working again.  However, SCP stopped.****
>
> ** **
>
> We have 2 classes of file transfer/input users.  External users who come in to an sshd ****
>
> running on port 2112 who are forced into SFTP using Match Group and ForceCommand ****
>
> directives.  These users work fine with shell=scponly (“m patch” applied).****
>
> ** **
>
> The other users are internal who come in on port 22.  Some use SFTP, some SCP. Post-patch,****
>
> the SCP users are being denied.  I set up debugging and here’s what I captured for ****
>
> one such session:****
>
> ** **
>
> Oct 19 08:06:27 sbktesaix02 auth|security:info sshd[5308482]: Accepted password for XXXXXX from www.xxx.yyy.zzz port 53455 ssh2****
>
> Oct 19 08:06:27 sbktesaix02 auth|security:info scponly[4980864]: using netbsd's bundled getopt_long****
>
> Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]: 3 arguments in total.****
>
> Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]:       arg 0 is scponly****
>
> Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]:       arg 1 is -c****
>
> Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]:       arg 2 is scp -v -t -- /tmp****
>
> Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]: opened log at LOG_AUTH, opts 0x00000009****
>
> Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]: determined USER is "XXXXXX" from environment****
>
> Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]: retrieved home directory of "/home/XXXXXX" for user "XXXXXX"****
>
> Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]: setting uid to 500****
>
> Oct 19 08:06:27 sbktesaix02 auth|security:debug scponly[4980864]: processing request: "scp -v -t -- /tmp"****
>
> Oct 19 08:06:27 sbktesaix02 auth|security:err|error scponly[4980864]: denied request: scp -v -t -- /tmp [username: XXXXXX(500), IP/port: www.xxx.yyy.zzz 53455 22]****
>
> Oct 19 08:06:27 sbktesaix02 auth|security:info sshd[5242894]: Received disconnect from www.xxx.yyy.zzz: 11: disconnected by user****
>
> ** **
>
> If I use the pre-patched scponly for their shell, file transfers succeed.****
>
> ** **
>
> --Doug****
>
> ** **
>
> ** **
>
> ** **
>
> > On Sun, Dec 11, 2011 at 3:07 AM, Frank Fegert <fra.nospam.nk at gmx.de <https://lists.ccs.neu.edu/bin/listinfo/scponly>> wrote:****
>
> >* Hello,*
>
> >* *
>
> >* just a heads-up: After a recent AIX update (6.1.5.1 -> 6.1.7.1) i*
>
> >* found that sftp connections via scponly would fail. After adding*
>
> >* the attached patch, things started working again. I opened a PMR*
>
> >* with IBM to clarify. Apparently they patched the OpenSSH sftp-server*
>
> >* and introduced a "-m" command line option, which is used to pass a*
>
> >* path to an alternative sshd_config file. Unfortunately they missed*
>
> >* to patch the "sftp-server -h" output as well as the sftp-server man*
>
> >* page, so it was a bit of a head scratcher at first :-(*
>
> >* *
>
> >* Best regards,*
>
> >* *
>
> >*    Frank*
>
> >* *
>
> >* *
>
> >* #################################################################*
>
> >* --- scponly.c.orig      2011-12-05 12:41:18.000000000 +0100*
>
> >* +++ scponly.c   2011-12-05 12:44:03.000000000 +0100*
>
> >* @@ -160,7 +160,7 @@*
>
> >*         * program name         use getopt?             strict optlist? badarg                  optlist                 longopts\n*
>
> >*         */*
>
> >*  #ifdef ENABLE_SFTP*
>
> >* -       { PROG_SFTP_SERVER,     1,                              1,                              NULL,                   "f:l:u:",               empty_longopts },*
>
> >* +       { PROG_SFTP_SERVER,     1,                              1,                              NULL,                   "f:l:u:m:",             empty_longopts },*
>
> >*  #endif*
>
> >*  #ifdef ENABLE_SCP2*
>
> >*        { PROG_SCP,             1,                              1,                              "SoF",                  "dfl:prtvBCc:i:P:q1246S:o:F:", empty_longopts },*
>
> >** **
>
> ** **
>
> ** **
>
> *Doug Eckert*
> *Technical Architect*****
>
> *Global Business Technology**
> **Dow Jones* | *A News Corporation Company*
> P.O. Box 300 | Princeton NJ 08543-0300
> (W) 609.520.4993 (C) 732.666.3681
> *Email: **doug.eckert at dowjones.com <alias at dowjones.com>***
>
>  [image: Description: djt_logo_small]****
>
> ** **
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
>
>
-------------- next part --------------
HTML attachment scrubbed and removed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3137 bytes
Desc: not available
Url : http://lists.ccs.neu.edu/pipermail/scponly/attachments/20121024/28215735/attachment-0001.jpeg 


More information about the scponly mailing list