FS#24063 - [scponly] SFTP not possible but SCP

Attached to Project: Community Packages
Opened by Sascha Siegel (hardcore) - Tuesday, 03 May 2011, 11:16 GMT
Last edited by Sergej Pupykin (sergej) - Wednesday, 04 May 2011, 11:36 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Sergej Pupykin (sergej)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

I created a chroot environment with /usr/share/doc/scponly/setup_chroot.sh
But sftp wouldn't work. I got an error msg from /var/log/auth.log:

May 3 11:01:53 localhost scponly[28649]: running: /usr/lib/ssh/sftp-server (username: scponly(1001), IP/port: 172.17.26.144 50009 22)
May 3 11:01:53 localhost scponly[28649]: failed: /usr/lib/ssh/sftp-server with error No such file or directory(2) (username: scponly(1001), IP/port: 172.17.26.144 50009 22)

=====
sash at paris in ~ % locate sftp | grep ssh
/etc/avahi/services/sftp-ssh.service
/usr/lib/ssh/sftp-server

=====
sash at paris in ~ % grep "sftp" /etc/ssh/sshd_config
Subsystem sftp /usr/lib/ssh/sftp-server

=====
sash at paris in ~ % grep "scp" /etc/passwd
scponly:x:1001:1001::/home/scponly:/usr/sbin/scponlyc

I think there's something wrong because scponly has sftp support.
I also tryed to install scponly from the abs with "--with-sftp-server=/usr/lib/ssh/sftp-server".
Same problem :-/

Additional info:
* 4.8-6
* /var/log/auth.log



Steps to reproduce:

* Install scponly with pacman
* Use /usr/share/doc/scponly/setup_chroot.sh (ENTER all questions)
* try touch foobar && scp foobar scponly@host (it'll work fine)
* try sftp scponly@host and you'll get Connection closed and (see logfile /var/log/auth.log)
This task depends upon

Closed by  Sergej Pupykin (sergej)
Wednesday, 04 May 2011, 11:36 GMT
Reason for closing:  Fixed
Additional comments about closing:  try 7th pkgrel
Comment by Sergej Pupykin (sergej) - Tuesday, 03 May 2011, 11:59 GMT
Probably /home/scponly owned by root and has no permissions for other users
Comment by Sergej Pupykin (sergej) - Tuesday, 03 May 2011, 12:02 GMT
btw, some sftp clients may require additional commands in chroot
Comment by Sergej Pupykin (sergej) - Tuesday, 03 May 2011, 12:10 GMT
also sftp-server needs libnss_files library which is not copied by setup_chroot.sh
Comment by Sascha Siegel (hardcore) - Tuesday, 03 May 2011, 13:44 GMT
/home/scponly has => drwxr-xr-x 10 root root 4096 May 2 15:52 scponly
/home/scponly/incoming has => drwxr-xr-x 2 scponly scponly 4.0K May 2 15:52 incoming

So I think other users can read that dir and write to ../incoming

---

libnns_files? do you mean the package nss?
Comment by Sergej Pupykin (sergej) - Tuesday, 03 May 2011, 14:02 GMT
I just copied /lib/libnss_files-2.13.so and /lib/libnss_files.so.2 to chroot
Comment by Sascha Siegel (hardcore) - Wednesday, 04 May 2011, 08:30 GMT
Thats not the only thing I done.

I used "ldd `which sftp`|sort" and copied all files to ../chroot/*
Now it works fine :)

Thanks,
hc
Comment by Sascha Siegel (hardcore) - Wednesday, 04 May 2011, 08:58 GMT
Solution:

copy /lib/libnss_files-2.13.so and /lib/libnss_files.so.2 to ../chroot/lib
copy output from "ldd `which sftp`|sort" to /chroot/*

e.g.

user@host# ldd `which sftp`|sort
libc.so.6 => /lib/libc.so.6 (0x00007f4af6747000)
libedit.so.0 => /usr/lib/libedit.so.0 (0x00007f4af6aa5000)
/lib/ld-linux-x86-64.so.2 (0x00007f4af6efe000)
libncursesw.so.5 => /lib/libncursesw.so.5 (0x00007f4af64ec000)
libpthread.so.0 => /lib/libpthread.so.0 (0x00007f4af6ce1000)
linux-vdso.so.1 => (0x00007ffff33ff000)

You can ignore linux-vdso.so.1 because there's no path indeed :)

Somebody wants to fix the package?

Loading...