[scponly] scponly on AIX with IBMs patches to OpenSSH
Kaleb Pederson
kaleb.pederson at gmail.com
Thu Oct 25 01:48:37 EDT 2012
On Fri, Oct 19, 2012 at 5:25 AM, Eckert, Doug <Doug.Eckert at dowjones.com> wrote:
>
> We also ran into this after applying the same update. I found this thread,
>
> downloaded the latest daily snapshot, and applied the patch below. SFTP started
>
> working again. However, SCP stopped.
I just checked the source and that patch is already included in the
current version.
Just as a reminder, we've switched over to github:
https://github.com/scponly/scponly
You'll see the patch applied here:
https://github.com/scponly/scponly/blob/master/scponly.c#L163
> We have 2 classes of file transfer/input users. External users who come in to an sshd
>
> running on port 2112 who are forced into SFTP using Match Group and ForceCommand
>
> directives. These users work fine with shell=scponly (“m patch” applied).
>
>
>
> The other users are internal who come in on port 22. Some use SFTP, some SCP. Post-patch,
>
> the SCP users are being denied. I set up debugging and here’s what I captured for
>
> one such session:
>
> Oct 19 08:06:27 sbktesaix02 auth|security:info sshd[5308482]: Accepted password for XXXXXX from www.xxx.yyy.zzz port 53455 ssh2
...
> Oct 19 08:06:27 sbktesaix02 auth|security:err|error scponly[4980864]: denied request: scp -v -t -- /tmp [username: XXXXXX(500), IP/port: www.xxx.yyy.zzz 53455 22]
I have to force my Linux system to use the bundled getopt, so I'm not
exactly running the same environment as you, but here's what I now get
as output:
scponly[7476]: using netbsd's bundled getopt_long
scponly[7476]: 3 arguments in total.
scponly[7476]: arg 0 is scponly
scponly[7476]: arg 1 is -c
scponly[7476]: arg 2 is /usr/bin/scp -v -t -- /tmp
scponly[7476]: opened log at LOG_AUTHPRIV, opts 0x00000009
scponly[7476]: determined USER is "scponly" from environment
scponly[7476]: retrieved home directory of "/home/scponly" for user "scponly"
scponly[7476]: processing request: "/usr/bin/scp -v -t -- /tmp"
scponly[7476]: Using getopt processing for cmd /usr/bin/scp#012
(username: scponly(1001), IP/port: 127.0.0.1 33867 22)
scponly[7476]: getopt processing returned 'v' (username:
scponly(1001), IP/port: 127.0.0.1 33867 22)
scponly[7476]: getopt processing returned 't' (username:
scponly(1001), IP/port: 127.0.0.1 33867 22)
scponly[7476]: running: /usr/bin/scp -v -t -- /tmp (username:
scponly(1001), IP/port: 127.0.0.1 33867 22)
scponly[7476]: about to exec "/usr/bin/scp" (username: scponly(1001),
IP/port: 127.0.0.1 33867 22)
Let me know how it goes.
HTH,
--Kaleb
More information about the scponly
mailing list