Linux/Security: Scponly SFTP Fix For RedHat and Centos 5.x (and possibly Fedora)
The current scponly release does not function correctly out of the box for 5.x Redhat and Centos distributions. I was unable to test Fedora, but I expect the same problems there. Accounts created with scponly will fail to connect via scp or sftp without a /dev/null device inside the users chroot (jail). The bad thing is that enabling debugging and checking the logs will show now issue. The logs showed ssh authenticate the username and password and drop the session to the sftp subsystem. After that, it would just show a disconnect. Below is the fixed I used to get scponly working.
Using scponly “make jail” command to setup the initial user. I removed most of the generic output from the command.
[root@testserver01 scponly-4.8]# make jail /usr/bin/install -c -d /usr/local/bin /usr/bin/install -c -d /usr/local/man/man8 /usr/bin/install -c -d /usr/local/etc/scponly /usr/bin/install -c -o 0 -g 0 scponly /usr/local/bin/scponly /usr/bin/install -c -o 0 -g 0 -m 0644 scponly.8 /usr/local/man/man8/scponly.8 /usr/bin/install -c -o 0 -g 0 -m 0644 debuglevel /usr/local/etc/scponly/debuglevel if test "xscponlyc" != "x"; then /usr/bin/install -c -d /usr/local/sbin; rm -f /usr/local/sbin/scponlyc; cp scponly scponlyc; /usr/bin/install -c -o 0 -g 0 -m 4755 scponlyc /usr/local/sbin/scponlyc; fi chmod u+x ./setup_chroot.sh ./setup_chroot.sh Username to install [scponly]newact home directory you wish to set for this user [/home/newact] name of the writeable subdirectory [incoming] creating /home/newact/incoming directory for uploading files Your platform (Linux) does not have a platform specific setup script. This install script will attempt a best guess. If you perform customizations, please consider sending me your changes. Look to the templates in build_extras/arch. - joe at sublimation dot org please set the password for newact: Changing password for user newact. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully.
Now that the user is created, lets test the sftp session from a different system
user1@workstation03:~/.ssh$ sftp newact@10.1.3.43 Connecting to 10.1.3.43... newact@10.1.3.43's password: Connection closed
So we see that the connection failed. The reason here is that there is no /dev/null device within the users chrooted home (jail). Scponly does not auto-create this needed device.
[root@testserver01 scponly-4.8]# mkdir -p /home/newact/dev/ [root@testserver01 scponly-4.8]# cp -a /dev/null /home/newact/dev/
After re-testing the connection, you can see that everything is now functioning fine. I was able to push a file to the incoming folder in the working chrooted (jailed) environment.
user1@workstation03:~/.ssh$ sftp newact@10.1.3.43 Connecting to 10.1.3.43... newact@10.1.3.43's password: sftp> ls dev etc incoming lib usr sftp> cd incoming sftp> put testfile Uploading testfile to /incoming/testfile testfile 100% 885 0.9KB/s 00:00 sftp> exit
Notes: For each user account that you create with scponly chrooting scripts, you will need to create the dev directory, as well as the null device under the users home directory. This is definitely something that can be manually added to the setup_chroot.sh easily.
Leave a Reply