# sftp-server of ssh doesn't work with scponly under 2007.0

## bolle732

Hi

I'm using Gentoo since 2005 and had a setup for SFTP access with the help of SCPOnly. Last, I migrated to 2007.0 and now the SFTP setup doesn't work anymore.

Under 2006.x, I setup the SFTP jail as followed:

```
# groupadd -g 501 scpuser

# useradd -u 501 -g 501 -c "sftp jail access for user" -d /home/users/scpuser/ -s /usr/sbin/scponlyc -p "xxx" scpuser

# mkdir -p /home/users/scpuser

# chmod 751 /home/users/scpuser

# cd /home/users/scpuser

# mkdir var

# chown scpuser:root var

# chmod 700 var

# mkdir -p lib/tls

# chmod -R 751 lib

# mkdir -p usr/lib/misc

# chmod -R 751 usr

# cp /lib/ld-linux.so.2 lib/

# cp /lib/libcrypt.so.1 lib/

# cp /lib/libdl.so.2 lib/

# cp /lib/libnsl.so.1 lib/

# cp /lib/libresolv.so.2 lib/

# cp /lib/libutil.so.1 lib/

# cp /lib/libz.so.1 lib/

# chmod 755 lib/*.so.*

# cp /lib/tls/libc.so.6 lib/tls/

# chmod 755 lib/tls/*.so.*

# cp /usr/lib/libcrypto.so.0.9.7 usr/lib/

# chmod 755 usr/lib/*.so.*

# cp /usr/lib/misc/sftp-server usr/lib/misc/

# chmod 755 usr/lib/misc/sftp-server

```

This worked all the time fine.

Now, with the 2007.0, the SFTP jail setup is as followed:

```
# groupadd -g 501 scpuser

# useradd -u 501 -g 501 -c "sftp jail access for user" -d /home/users/scpuser/ -s /usr/sbin/scponlyc -p "xxx" scpuser

# mkdir -p /home/users/scpuser

# chmod 751 /home/users/scpuser

# cd /home/users/scpuser

# mkdir var

# chown scpuser:root var

# chmod 700 var

# mkdir lib

# chmod 751 lib

# mkdir -p usr/lib/misc

# chmod -R 751 usr

# cp /lib/ld-linux.so.2 lib/

# cp /lib/libcrypt.so.1 lib/

# cp /lib/libdl.so.2 lib/

# cp /lib/libnsl.so.1 lib/

# cp /lib/libresolv.so.2 lib/

# cp /lib/libutil.so.1 lib/

# cp /lib/libz.so.1 lib/

# chmod 755 lib/*.so.*

# cp /lib/libc.so.6 lib/

# chmod 755 lib/*.so.*

# cp /usr/lib/libcrypto.so.0.9.7 usr/lib/

# cp /usr/lib/libssl.so.0.9.7 usr/lib/

# chmod 755 usr/lib/*.so.*

# cp /usr/lib/misc/sftp-server usr/lib/misc/

# chmod 755 usr/lib/misc/sftp-server

```

There are only slightly changes in the setup as there is no tls anymore in /lib and the libssl.* is needed now.

The version of 2007.0 doesn't work. When copying the version from 2006.* to the server, this one is running.

I double checked the dependencies with ldd and enabled the logging in OpenSSH (DEBUG3). I tried with the sftp command line tool and WinSCP. I also checked the Gentoo-Bugzilla and this forum. But all without success.

The OpenSSH logs tells the following for the 2006.* setup:

```
...

sshd[x4x]: subsystem request for sftp

sshd[x4x]: debug1: subsystem: exec() /usr/lib/misc/sftp-server

sshd[x5x]: debug3: channel 0: close_fds r -1 w -1 e -1 c -1

scponly[x5x]: running: /usr/lib/misc/sftp-server (username: scpuser(501), IP/port: 141.171.216.89 2159 22)

sshd[x4x]: debug2: fd 3 setting TCP_NODELAY

sshd[x4x]: debug2: fd 8 setting O_NONBLOCK

sshd[x4x]: debug3: fd 8 is O_NONBLOCK

...

```

For the 2007.0 setup, the logs shows:

```
...

sshd[x4x]: subsystem request for sftp

sshd[x4x]: debug1: subsystem: exec() /usr/lib/misc/sftp-server

sshd[x5x]: debug3: channel 0: close_fds r -1 w -1 e -1 c -1

scponly[x5x]: running: /usr/lib/misc/sftp-server (username: scpuser(501), IP/port: 141.171.216.89 2159 22)

sshd[x4x]: debug2: fd 3 setting TCP_NODELAY

sshd[x4x]: debug2: fd 8 setting O_NONBLOCK

sshd[x4x]: debug3: fd 8 is O_NONBLOCK

sshd[x4x]: debug1: Received SIGCHLD.

sshd[x4x]: debug1: session_by_pid: pid x5x

sshd[x4x]: debug1: session_exit_message: session 0 channel 0 pid x5x

sshd[x4x]: debug2: channel 0: request exit-status confirm 0

sshd[x4x]: debug1: session_exit_message: release channel 0

...

```

With the 2007.0 setup, I'm disconnected imediatly.

I can't figure out, why I'm receiving the SIGCHLD.

Another difference is the occurance in the order of the lines

```
...

sshd[x2x]: debug2: User child is on pid x4x

sshd[x2x]: debug3: mm_request_receive entering

...

```

My installation is up to the date (20070530).

Any suggestions what I can test more or where the error could be ?

Thanks in advance

Andreas

----------

## spiffywiffy

Did you happen to solve this issue?

----------

## Hu

SIGCHLD just means the child process quit.  Most likely, there is a configuration error with the sftp-server that is causing it to exit.  Emerge dev-util/strace and have it follow execution of the child process.  Run it as strace -f -tt -o sshd.strace -p <pid-of-sshd>.  The system call logs may lead you to the reason the sftp-server is terminating.

----------

## bolle732

I did install strace and run it as described.

Here is the result when connecting with WinSCP to the 2007.0 jail:

```
# strace -f -tt -o sshd.strace -p 2986

Process 2986 attached - interrupt to quit

Process 26023 attached

Process 26032 attached

Process 26041 attached

Process 26041 detached

Process 26032 detached

Process 26043 attached

Process 26044 attached

Process 26044 detached

Process 26023 suspended

Process 26023 resumed

Process 26043 detached

Process 26023 detached
```

When using the jail builded with the 2006.1:

```
# strace -f -tt -o sshd.strace -p 2986

Process 2986 attached - interrupt to quit

Process 7859 attached

Process 7868 attached

Process 7886 attached

Process 7886 detached

Process 7868 detached

Process 7889 attached

Process 7892 attached
```

I'm connected. When disconnecting:

```
Process 7859 suspended

Process 7859 resumed

Process 7889 detached

Process 7859 detached

Process 7892 detached
```

Any ideas ?

Andreas

----------

## bolle732

Sorry, but I think I won't upload the whole trace log.

After adding "{JAIL}/dev/null" to the syslog, I get

```
sftp-server[423]: fatal: No user found for uid xxx
```

even I have the "passwd" and "group" in the "{JAIL}/etc". Really strange.

Andreas

----------

## bolle732

Ok, i solved it now. The OpenSSH was configured to use PAM and therefor, I needed the files "libnss_compat.so.2" and "libnss_files.so.2" from the "/lib" directory too. My jail now works, but it is 5x more complicated then with 2006.1  :Sad: 

I would thank for the strace tip! I think, this would help me a lot in the future.

Andreas

----------

## bolle732

Here the complete code to setup:

```
# emerge scponly

# nano -w /etc/shells

add: /usr/sbin/scponlyc

# groupadd -g <GID> <GROUPNAME>

# useradd -u <UID> -g <GID> -c "sftp jail access for <USER>" -d /home/users/<USER>/ -s /usr/sbin/scponlyc -p "<PASSWORDHASH>" <USERNAME>

# mkdir -p /home/users/<USERNAME>

# chmod 751 /home/users/<USERNAME>

# cd /home/users/<USERNAME>

# mkdir dev

# chmod 751 dev

# mknod dev/null c 1 3

# chmod 666 dev/null

# mkdir etc

# chmod 751 etc

# echo "<USERNAME>:x:<UID>:<GID>:::" > etc/passwd

# echo "<GROUPNAME>:x:<GID>:" > etc/group

# mkdir lib

# chmod 751 lib

# cp /lib/ld-linux.so.2 lib/

# cp /lib/libcrypt.so.1 lib/

# cp /lib/libdl.so.2 lib/

# cp /lib/libnsl.so.1 lib/

# cp /lib/libnss_compat.so.2 lib/

# cp /lib/libnss_files.so.2 lib/

# cp /lib/libresolv.so.2 lib/

# cp /lib/libutil.so.1 lib/

# cp /lib/libz.so.1 lib/

# cp /lib/libc.so.6 lib/

# chmod 755 lib/*.so.*

# mkdir -p usr/lib/misc

# chmod -R 751 usr

# cp /usr/lib/libcrypto.so.0.9.? usr/lib/

# cp /usr/lib/libssl.so.0.9.? usr/lib/

# chmod 755 usr/lib/*.so.*

# cp /usr/lib/misc/sftp-server usr/lib/misc/

# chmod 755 usr/lib/misc/sftp-server

# mkdir var

# chown <USERNAME>:root var

# chmod 700 var
```

Replace any variable <XXX> with your values. Instead of using the <PASSWORDHASH>, you can use the "passwd" utility to set it up.

Andreas

----------

## spiffywiffy

This was extremely helpful.  Thank you!

----------

