# [SOLVED] scponly chroot not working

## fourhead

Hello,

okay first of all, an off-topic question: Does someone know a good, crowded Debian forum? I have an Debin LVS (I would install Gentoo, but it doesn't work) and so far I've only found forums.debian.net and debianforum.de but I never, I mean really never get an answer there! I don't want to flame, and I'm not saying this has to do with Debian, but it turned out to be more helpfull to post my Debian questions here on the Gentoo forums....

So well I've installed scponlyc (the chrooted version) to allow a few friends secure SFTP/SCP access. I have scponly and scponlyc as valid shells, and I ran the script that came with scponly that automatically creates a chroot environment for me. The user has /usr/sbin/scponlyc as shell, and SSH itself works fine with /bin/bash as shell, but when I try to log in as this scponly-user with SFTP or WinSCP, I just get an "Connection closed". WinSCP says something about error 127.

Can somebody tell me what I'm missing here? Where could I find more error messages? If you need more details, please write me!

TomLast edited by fourhead on Fri Apr 22, 2005 12:35 am; edited 1 time in total

----------

## wjholden

Looking at this, I'd say login in via SSH and type "which scp".  If it doesn't show up you've found your problem, although this would not explain why SFTP does not work.  In Gentoo you can turn SFTP on and off in /etc/ssh/sshd_config, I'd think it's the same place in Debian.  That's all I can think of.

----------

## fourhead

Hi, well i did what you said and it tells me scp is in /usr/bin. A copy of it is also in my chroot, /home/<user>/usr/bin. Also all dependencies of scp (from ldd) are within the chroot  :Sad: 

So what I did is the following:

1. Make scponly[c] a valid shell in /etc/shells

2. Assign /usr/sbin/scponly to the appropiate user

3. Run the script that comes with scponly to create the chroot environment, which ran without any errors.

Is there anything that I'm missing in these steps??

Tom

----------

## wjholden

 *elektrohirn wrote:*   

> Hi, well i did what you said and it tells me scp is in /usr/bin. A copy of it is also in my chroot, /home/<user>/usr/bin. Also all dependencies of scp (from ldd) are within the chroot 

 

Is that in the usres' $PATH?

----------

## fourhead

Yes it is! Damn it's so strange, I have no idea whats wrong here.

Tom

----------

## wjholden

This is bizarre.  Are you sure all of the permissions are set correctly, meaning that everything that should be executable by scponly user is set properly?  I'm out of ideas after that.

----------

## OhSh33t

 *destuxor wrote:*   

> This is bizarre.  Are you sure all of the permissions are set correctly, meaning that everything that should be executable by scponly user is set properly?  I'm out of ideas after that.

 

I copied "cp groups /home/scponly/bin/groups" as mentioned by the ebuild .

I'm unable to use Winscp [Version 3.7.0(Build254)] or Scp from Gentoo Linux or Pscp from Windows. I've messed with a ton of local WinScp settings and still get the same results.

I don't get Error 127 but I do get this repeatedly like exactly 10 times and eventually WinScp appears connected but I'm unable to do anything.

"Error getting current name of directory"

Command 'pwd ; echo "WinSCP: this is end-of-file:$status"' failed with invalid output ''. [OK] or [CANCLE]

The logs on the server show:

```

Apr 18 04:28:54 nfusion sshd[14949]: Accepted keyboard-interactive/pam for testuser from 192.168.2.250 port 1915 ssh2

Apr 18 04:28:54 nfusion sshd(pam_unix)[14955]: session opened for user testuser by (uid=0)

Apr 18 11:28:54 nfusion [14956]: running: /bin/pwd (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:28:54 nfusion [14957]: failed: /bin/pwd with error No such file or directory(2) (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:28:57 nfusion [14957]: running: /bin/pwd (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:28:57 nfusion [14958]: failed: /bin/pwd with error No such file or directory(2) (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:28:57 nfusion [14958]: running: /bin/pwd (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:28:57 nfusion [14959]: failed: /bin/pwd with error No such file or directory(2) (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:28:58 nfusion [14959]: running: /bin/pwd (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:28:58 nfusion [14960]: failed: /bin/pwd with error No such file or directory(2) (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:28:59 nfusion [14960]: running: /bin/ls -la --full-time (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:28:59 nfusion [14961]: failed: /bin/ls -la --full-time with error No such file or directory(2) (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:28:59 nfusion [14961]: running: /bin/ls -lad .. (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:28:59 nfusion [14962]: failed: /bin/ls -lad .. with error No such file or directory(2) (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:28:59 nfusion [14962]: running: /bin/pwd (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:28:59 nfusion [14963]: failed: /bin/pwd with error No such file or directory(2) (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:29:00 nfusion [14963]: running: /bin/ls -la (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:29:00 nfusion [14964]: failed: /bin/ls -la with error No such file or directory(2) (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:29:00 nfusion [14964]: running: /bin/ls -lad .. (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:29:00 nfusion [14965]: failed: /bin/ls -lad .. with error No such file or directory(2) (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:29:09 nfusion [14965]: running: /bin/pwd (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:29:09 nfusion [14966]: failed: /bin/pwd with error No such file or directory(2) (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:29:52 nfusion [14966]: running: /bin/pwd (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:29:52 nfusion [14967]: failed: /bin/pwd with error No such file or directory(2) (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:29:57 nfusion [14967]: running: /bin/pwd (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:29:57 nfusion [14968]: failed: /bin/pwd with error No such file or directory(2) (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:29:58 nfusion [14968]: running: /bin/pwd (username: testuser(1004), IP/port: 192.168.2.250 1915 22)

Apr 18 11:29:58 nfusion [14969]: failed: /bin/pwd with error No such file or directory(2) (username: testuser(1004), IP/port: 192.168.2.250 1915 22)
```

I've checked the permissions in /home/scponly/usr/bin and "scp"  has persmissions to be executed by Others.

```

# ls -la /home/scponly/usr/bin

total 584

drwxr-xr-x  2 root root    120 Apr 18 00:12 .

drwxr-xr-x  4 root root     96 Apr 17 05:54 ..

-rwxr-xr-x  1 root root 344192 Apr 18 00:12 ld

-rwxr-xr-x  1 root root 212872 Apr 18 00:12 rsync

-rwxr-xr-x  1 root root  35140 Apr 18 00:12 scp
```

```

 # ls -la /home/scponly/bin

total 432

drwxr-xr-x  2 root root   368 Apr 18 02:23 .

drwxr-xr-x  7 root root   168 Apr 17 05:54 ..

-rwxr-xr-x  1 root root 36172 Apr 18 00:12 chgrp

-rwxr-xr-x  1 root root 36220 Apr 18 00:12 chmod

-rwxr-xr-x  1 root root 39244 Apr 18 00:12 chown

-rwxr-xr-x  1 root root 16776 Apr 18 00:12 echo

-rwxr-xr-x  1 root root  6464 Apr 18 02:23 groups

-rwxr-xr-x  1 root root  6464 Apr 18 00:12 groups.old

-rwxr-xr-x  1 root root 28048 Apr 18 00:12 ln

-rwxr-xr-x  1 root root 84160 Apr 18 00:12 ls

-rwxr-xr-x  1 root root 25748 Apr 18 00:12 mkdir

-rwxr-xr-x  1 root root 66468 Apr 18 00:12 mv

-rwxr-xr-x  1 root root 16584 Apr 18 00:12 pwd

-rwxr-xr-x  1 root root 36540 Apr 18 00:12 rm

-rwxr-xr-x  1 root root 16948 Apr 18 00:12 rmdir

```

I used "useradd -m -G scponly -s /usr/sbin/scponlyc testuser" and set the passwd to create the account. Seeing that this is a Chrooted account I don't really see how I can login with this user with its  shell set like this either locally or remote to check the path in the first place, as was mentioned todo in an earlier posting. It's not using a Bash shell I don't think so modifying .bashrc I don't think is going to help.

SCP from windows or linux fails as well from a chrooted user account. Works great for other accounts. Same errors no matter what I try for the destination path. Same error failing "No such file or directory(2)".

```

Apr 18 04:35:51 nfusion sshd(pam_unix)[14988]: session opened for user testuser by (uid=0)

Apr 18 11:35:52 nfusion [14989]: running: /usr/bin/scp -t /home/scponly/incoming (username: testuser(1004), IP/port: 192.168.2.22 2816 22)

Apr 18 11:35:52 nfusion [14989]: failed: /usr/bin/scp -t /home/scponly/incoming with error No such file or directory(2) (username: testuser(1004), IP/port: 192.168.2.22 2816 22)

Apr 18 04:35:52 nfusion sshd(pam_unix)[14988]: session closed for user testuser

```

Maybe I'll file a bug if no one has any input that will help.

----------

## OhSh33t

I figured out what my problem was.  Atleast from my testing this seems to be what the problem is.

The users that I had created using.........

```
useradd -m -G scponly -s /usr/sbin/scponlyc myusername
```

.....didn't have the right home dir of /home/scponly. I then tried....

```
useradd -d /home/scponly/incoming -G scponly -s /usr/sbin/scponlyc myusername
```

.... and that didn't work. Got the same erros I posted earlier......  This Needed to be.....

usermod -d /home/scponly -G scponly -s /usr/sbin/scponlyc myusername

.... and I connected with Wincp just fine after that and was trapped in the Chroot environment.. pretty nice...

This is totally halarious.  I've been using Gentoo for two years now and I actually mainly focus on Routing and Firewalling with Gentoo, and love it.  I don't know crap about host based security or basic sys admin stuff.  I did read the documentation on scponly's site. /usr/share/doc/scponly/* is a One page  cut and paste of the website basically.  When I was running into trouble I goggled first, then the Gentoo forum, then the IRC channel and was basically ignored, at which point I new I must been doing something really stupid, and I was.

No where in the documentaion does it mention that when you create new users that they need to have a home directory of /home/scponly.  The only thing they emphasize is the need to change the users shell account. Well, its on to hostbased security, linux sysadmin stuff and kernel hardening now. Should be interesting to see where I'm at two years from now. Most surely bald from Linux maddness..  :Very Happy: 

----------

## fourhead

This is so crazy. Okay, I basically gave up trying this a few days ago, and just right now I though okay lets check this error message again so I did "sftp myserver.de" logged in with my username+pw and voila! It worked and I was in my chroot. I started WinXP in QEMU, tried it with WinSCP and it also worked, I also tried copying a file to / and to /incoming which all worked as it should. Then, I closed WinSCP, started it again, logged in again - and bam, same error. I went to my console, tried sftp again - and it just kicks me out. What the hell???

Tom

----------

## fourhead

Can somebody tell from this output what's wrong with my SSH? I'm really, really wondering why it suddenly worked after a few days, and 5 seconds later it doesn't  :Sad: 

```
Connecting to myserver.de...

OpenSSH_4.0p1, OpenSSL 0.9.7e 25 Oct 2004

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Connecting to myserver.de [192.168.169.199] port 2222.

debug1: Connection established.

debug1: identity file /home/.ssh/identity type -1

debug1: identity file /home/.ssh/id_rsa type -1

debug1: identity file /home/.ssh/id_dsa type 2

debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1 Debian-8.sarge.4

debug1: match: OpenSSH_3.8.1p1 Debian-8.sarge.4 pat OpenSSH_3.*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_4.0

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host 'myserver.de' is known and matches the RSA host key.

debug1: Found key in /home/.ssh/known_hosts:2

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Trying private key: /home/.ssh/identity

debug1: Trying private key: /home/.ssh/id_rsa

debug1: Offering public key: /home/.ssh/id_dsa

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Next authentication method: keyboard-interactive

Password:

debug1: Authentication succeeded (keyboard-interactive).

debug1: channel 0: new [client-session]

debug1: Entering interactive session.

debug1: Sending subsystem: sftp

debug1: client_input_channel_req: channel 0 rtype exit-status reply 0

debug1: channel 0: free: client-session, nchannels 1

debug1: fd 0 clearing O_NONBLOCK

debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.1 seconds

debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0

debug1: Exit status 127

Connection closed

```

----------

## fourhead

Okay, I'm coming a little closer. When i try scp instead of sftp from my console, I get this:

```

/usr/bin/scp: error while loading shared libraries: libcrypto.so.0.9.7: cannot open shared object file: No such file or directory

lost connection

```

So it seems it can't find thi lib. On the server, 'ldd /usr/bin/scp' tells me

libcrypto.so.0.9.7 => /usr/lib/i686/cmov/libcrypto.so.0.9.7 (0x4002f000)

and this lib is under /home/<user>/usr/lib/i686/cmov on the server, so this should be okay. When I open WinSCP and choose to use scp instead of sftp, I get the error about the groups command, but I can log in and it shows me the dirs in my chroot. But when I try to copy a file, it gives me (roughly translated from German)

"SCP couldn't be started for the transfer. Make sure SCP is intalled on the server and that $PATH contains the path to SCP. Error 127".

So this is pretty obvious ...  :Smile:  Destuxor, it seems you asked the right question  :Smile:  Can you tell me how do I set $PATH for the chrooted user? Do I need something like /etc/profile or bashrc in the user's chroot? EDIT: Another question, is there a way to automatically cd the user into the incoming dir when he logs in?

Tom

----------

## wjholden

Well, reading this it appears that you can set it during the installation process...I know you could login via SSH and then use the export command to manually set it, but I think that would go away after you logged out.  It may, however, work to add the export PATH = /home/whatever into the users' .bashrc, .bash_profile, or .login file?  This may be of interest, but be aware that this document is old.

Upon further google'ing this'll probably be your best thing to look at.

----------

## fourhead

Hi, thanks for all your links, they been helpful, but actually my problem was something different, and I solved it:

SCP couldn't find libcrypto.so. When running ldd it said scp uses /usr/lib/i686/cmov/libcrypto.so, and I had this file in my chroot, but there was another libcrypto.so in /usr/lib, and now I copied this file in my chroot too and suddenly sftp & scp work perfectly!

One question though: Could I somehow tell SSH/scponly to cd the user into incoming/ upon login?

Tom

----------

## vodkin40

I had the same question and found this neat undocumented feature looking through the souce code:

Open /etc/password and modify home directory for a given scponly user like this: 

scpdude:x:1002:200:/home/scponly//incoming/:/usr/sbin/scponlyc

It will cd to the directory after two slashes upon login.

Now I'm trying to understand how to prevent logged used from cd'ing up.

----------

