Comments on: scponly rpms with chroot enabled added for rhel4 http://www.justinsamuel.com/2006/03/30/scponly-rpms-with-chroot-enabled-added-for-rhel4/ Security, Linux, Development Tue, 06 Jan 2009 03:06:47 +0000 http://wordpress.org/?v=2.7 hourly 1 By: Chris http://www.justinsamuel.com/2006/03/30/scponly-rpms-with-chroot-enabled-added-for-rhel4/comment-page-1/#comment-630 Chris Fri, 03 Oct 2008 15:48:35 +0000 http://www.justinsamuel.com/linux/server-security/10/scponly-rpms-with-chroot-enabled-added-for-rhel4#comment-630 Hello Justin, I installed this for EL5, and I cannot get it, in the logs I see the following: Oct 3 10:47:32 storage scponly[5385]: chroot dir not owned by root: /home/test2 Oct 3 10:47:32 storage sshd[5382]: pam_unix(sshd:session): session closed for user test2 Any thoughts? Thanks for your help in advance :) Hello Justin,

I installed this for EL5, and I cannot get it, in the logs I see the following:

Oct 3 10:47:32 storage scponly[5385]: chroot dir not owned by root: /home/test2
Oct 3 10:47:32 storage sshd[5382]: pam_unix(sshd:session): session closed for user test2

Any thoughts?

Thanks for your help in advance :)

]]> By: justin http://www.justinsamuel.com/2006/03/30/scponly-rpms-with-chroot-enabled-added-for-rhel4/comment-page-1/#comment-548 justin Mon, 11 Feb 2008 23:24:22 +0000 http://www.justinsamuel.com/linux/server-security/10/scponly-rpms-with-chroot-enabled-added-for-rhel4#comment-548 There could be conflicts using the el5 rpms on el4, but I have el4 rpms available, also (I should have linked to both before). Here are the el4 rpms, with scponly in there: http://downloads.justinsamuel.com/rpms/redhat/el4/en/i386/RPMS.js/ There could be conflicts using the el5 rpms on el4, but I have el4 rpms available, also (I should have linked to both before).

Here are the el4 rpms, with scponly in there:

http://downloads.justinsamuel.com/rpms/redhat/el4/en/i386/RPMS.js/

]]> By: Tom McManus http://www.justinsamuel.com/2006/03/30/scponly-rpms-with-chroot-enabled-added-for-rhel4/comment-page-1/#comment-547 Tom McManus Mon, 11 Feb 2008 21:26:33 +0000 http://www.justinsamuel.com/linux/server-security/10/scponly-rpms-with-chroot-enabled-added-for-rhel4#comment-547 Any chance the el5 repo rpms will conflict with el4? Any chance the el5 repo rpms will conflict with el4?

]]> By: justin http://www.justinsamuel.com/2006/03/30/scponly-rpms-with-chroot-enabled-added-for-rhel4/comment-page-1/#comment-525 justin Tue, 15 Jan 2008 20:06:36 +0000 http://www.justinsamuel.com/linux/server-security/10/scponly-rpms-with-chroot-enabled-added-for-rhel4#comment-525 Tom, sorry for the slow reply. The rpms and srpms are at: http://downloads.justinsamuel.com/rpms/redhat/el5/en/i386/ Tom, sorry for the slow reply. The rpms and srpms are at:

http://downloads.justinsamuel.com/rpms/redhat/el5/en/i386/

]]> By: Tom McManus http://www.justinsamuel.com/2006/03/30/scponly-rpms-with-chroot-enabled-added-for-rhel4/comment-page-1/#comment-479 Tom McManus Fri, 21 Dec 2007 16:08:54 +0000 http://www.justinsamuel.com/linux/server-security/10/scponly-rpms-with-chroot-enabled-added-for-rhel4#comment-479 Hi, thanks for the great work on this, could you post the rpms? I would like to look at it and may need to make some modifications for our system. Thanks. Hi, thanks for the great work on this, could you post the rpms? I would like to look at it and may need to make some modifications for our system. Thanks.

]]> By: justin http://www.justinsamuel.com/2006/03/30/scponly-rpms-with-chroot-enabled-added-for-rhel4/comment-page-1/#comment-18 justin Tue, 05 Sep 2006 04:31:07 +0000 http://www.justinsamuel.com/linux/server-security/10/scponly-rpms-with-chroot-enabled-added-for-rhel4#comment-18 Hi, Try setting the debug level of scponly, such as: echo 2 > /etc/scponly/debuglevel and then check /var/log/secure or possibly other logs after an attempt to to connect. Likely things that can go wrong include: a) not having a minimally-working chroot for the user you are trying to scp with. b) having the user's chroot directory writable by the user and/or not owned by root (security issue, scponlyc will intentionally fail in order to protect you when it detects an insecure chroot setup for using it). c) not having scp located at /usr/bin/scp inside the user's chroot -- you'd need to rebuild the rpm on a differently-configured system to change this. By default I believe it's looking in the same location in the user's chroot for scp as the binary resides on the system it was compiled on. For Red Hat, which is what the rpm was compiled on, this will be /usr/bin/scp. Hi,

Try setting the debug level of scponly, such as:

echo 2 > /etc/scponly/debuglevel

and then check /var/log/secure or possibly other logs after an attempt to to connect.

Likely things that can go wrong include:

a) not having a minimally-working chroot for the user you are trying to scp with.

b) having the user’s chroot directory writable by the user and/or not owned by root (security issue, scponlyc will intentionally fail in order to protect you when it detects an insecure chroot setup for using it).

c) not having scp located at /usr/bin/scp inside the user’s chroot — you’d need to rebuild the rpm on a differently-configured system to change this. By default I believe it’s looking in the same location in the user’s chroot for scp as the binary resides on the system it was compiled on. For Red Hat, which is what the rpm was compiled on, this will be /usr/bin/scp.

]]> By: Christopher http://www.justinsamuel.com/2006/03/30/scponly-rpms-with-chroot-enabled-added-for-rhel4/comment-page-1/#comment-17 Christopher Tue, 05 Sep 2006 03:07:42 +0000 http://www.justinsamuel.com/linux/server-security/10/scponly-rpms-with-chroot-enabled-added-for-rhel4#comment-17 Hello, we have tested your SCPOnly RPM on our RHE4 box but it does not seem to work. Using WSFTP, connecting to our SSH port, 2222 we get the following error from WSFTP: Error 842c0000 receiving sftp packet error 842c0000 initializing sftp protocol Sending channel close message for channel 0760a2ce SSH Transport closed. And our server logs show: Sep 5 10:04:35 s1 sshd[9771]: subsystem request for sftp Sep 5 03:04:35 s1 scponly[9772]: running: /usr/libexec/openssh/sftp-server (username: s1(10001), IP/port: 6939 2222) Sep 5 03:04:35 s1 scponly[9772]: failed: /usr/libexec/openssh/sftp-server with error No such file or directory(2) (username: s1(10001), IP/port: 6939 2222) Any ideas? Hello,

we have tested your SCPOnly RPM on our RHE4 box but it does not seem to work. Using WSFTP, connecting to our SSH port, 2222 we get the following error from WSFTP:

Error 842c0000 receiving sftp packet
error 842c0000 initializing sftp protocol
Sending channel close message for channel 0760a2ce
SSH Transport closed.

And our server logs show:

Sep 5 10:04:35 s1 sshd[9771]: subsystem request for sftp
Sep 5 03:04:35 s1 scponly[9772]: running: /usr/libexec/openssh/sftp-server (username: s1(10001), IP/port: 6939 2222)
Sep 5 03:04:35 s1 scponly[9772]: failed: /usr/libexec/openssh/sftp-server with error No such file or directory(2) (username: s1(10001), IP/port: 6939 2222)

Any ideas?

]]>