i’ve added scponly rpms with chroot enabled for rhel4. get the files here or by apt/yum. this is more useful in a shared hosting environment than the rpms found at DAG and elsewhere that don’t have chroot enabled.
to use this, for example on a plesk box to allow domains to use sftp without having to give them a chroot’ed bash shell, do the following:
- install the scponly rpm from the downloads area
- add the following line to your /etc/shells file
/usr/sbin/scponlyc
- set any domain you want to have sftp access without any other shell access to use this shell.
- optionally, edit your domain templates and make the default shell this one and remove ability for clients to change the shell for a domain
note that this will only allow domains to use sftp but not scp (at least on a redhat box). this is because plesk decided to put the scp binary for a site’s chroot someone different than it exists in the rest of the system, and so it’s not where the scponlyc shell will look for it. so, just keep that in mind in case anyone complains sftp works but not scp.
if you want to have scp work for a domain, hard link the domain’s bin/scp to usr/bin/scp. if you want, you can even make the change to the chroot directory so that newly created domains have scp available, too. and if you’re brave, you can use the chrootmng tool to setup existing domains with your changes to the chroot directory.
Hello,
we have tested your SCPOnly RPM on our RHE4 box but it does not seem to work. Using WSFTP, connecting to our SSH port, 2222 we get the following error from WSFTP:
Error 842c0000 receiving sftp packet
error 842c0000 initializing sftp protocol
Sending channel close message for channel 0760a2ce
SSH Transport closed.
And our server logs show:
Sep 5 10:04:35 s1 sshd[9771]: subsystem request for sftp
Sep 5 03:04:35 s1 scponly[9772]: running: /usr/libexec/openssh/sftp-server (username: s1(10001), IP/port: 6939 2222)
Sep 5 03:04:35 s1 scponly[9772]: failed: /usr/libexec/openssh/sftp-server with error No such file or directory(2) (username: s1(10001), IP/port: 6939 2222)
Any ideas?
Hi,
Try setting the debug level of scponly, such as:
echo 2 > /etc/scponly/debuglevel
and then check /var/log/secure or possibly other logs after an attempt to to connect.
Likely things that can go wrong include:
a) not having a minimally-working chroot for the user you are trying to scp with.
b) having the user’s chroot directory writable by the user and/or not owned by root (security issue, scponlyc will intentionally fail in order to protect you when it detects an insecure chroot setup for using it).
c) not having scp located at /usr/bin/scp inside the user’s chroot — you’d need to rebuild the rpm on a differently-configured system to change this. By default I believe it’s looking in the same location in the user’s chroot for scp as the binary resides on the system it was compiled on. For Red Hat, which is what the rpm was compiled on, this will be /usr/bin/scp.
Hi, thanks for the great work on this, could you post the rpms? I would like to look at it and may need to make some modifications for our system. Thanks.
Tom, sorry for the slow reply. The rpms and srpms are at:
http://downloads.justinsamuel.com/rpms/redhat/el5/en/i386/
Any chance the el5 repo rpms will conflict with el4?
There could be conflicts using the el5 rpms on el4, but I have el4 rpms available, also (I should have linked to both before).
Here are the el4 rpms, with scponly in there:
http://downloads.justinsamuel.com/rpms/redhat/el4/en/i386/RPMS.js/