scponly not working with chroot

[hamba]

Hi

I'm having trouble setting up scponly. I can get it working when the shell is set to /usr/local/bin/scponly but not to /usr/local/sbin/scponlyc

I followed all the steps

Code:

cd /usr/local/share/examples/scponly/ && /bin/sh setup_chroot.sh

and follow the instructions

But when it comes time to test the account I'm getting this message from winscp

Code:

Cannot initialize SFTP protocol. Is the host running a SFTP server?

and from a shell account

Code:

me@host1> sftp user@host2
Connecting to host2...
Password:
Connection closed

here is what I see in my logs

Code:

May 15 14:54:00 host2 sshd[75239]: Accepted keyboard-interactive/pam for user from 192.168.xx.xxx port 55072 ssh2
May 15 14:54:00 host2 sshd[75242]: subsystem request for sftp
May 15 13:54:00 host2 scponly[75243]: running: /usr/libexec/sftp-server (username: user(1003), IP/port: 192.168.xx.xxx 55072 22)

Does anyone have an idea why this is happening and how I can fix this?
Or is there another, even better way of allowing users to only use sft that is chrooted?

Thanks
hamba

[richardpl]

Explain in more detail your setup, otherwise my possible response will not be usefull at all.

[hamba]

Got it working but its not perfect

I had to mount mount devfs to /home/user/dev

Code:

mount -t devfs dev /home/user/dev

There is a small rc script but its not creating the devfs properly
here are the step that should work but doesn't

Code:

make_devfs() {
    # $1 is the user name whose home directory needs a minimal
    # devfs created. If ~/dev exists, it will be deleted.

    eval DEV="~$1/dev"
    while /sbin/umount "${DEV}" 2>/dev/null; do :; done
    /bin/rm -rf "${DEV}"
    /bin/mkdir -p "${DEV}"
    if /sbin/mount -t devfs dev "${DEV}"; then
        /sbin/devfs -m "${DEV}" rule -s 1 applyset && \
        /sbin/devfs -m "${DEV}" rule -s 2 applyset || \
        /sbin/umount "${DEV}" 2>/dev/null
    fi
}

I'm getting these errors

Code:

devfs -m dev rule -s 1 applyset
devfs rule: ioctl DEVFSIO_SAPPLY: No such process

I'll contact the port maintainer and see if he can hep

[anomie]

Quote:

Originally Posted by hamba

I'll contact the port maintainer and see if he can hep

IMO, that's not something you should be bothering the port maintainer with. Please google for that error message; there are many hits.

Just a comment from me, FWIW: using the scponly chroot capabilities introduces something of a security risk, in that you're requiring it to run with the suid bit set. To me it would be much safer to build a FBSD jail and keep your users contained within. Or, just use the regular scponly shell if you can live with the idea that they'll have access to files on the system that their permissions allow.