# [Solved] SCPOnly 4.6 installation woes...

## Kenu

Hi all,

I've done a search but so far come up empty - the closest thing I can see is the thread for rssh..

I'm trying to install SCPOnly 4.6 on Gentoo.  I am unable to establish a chrooted connection.

Here's my compilation string:

```
./configure --enable-chrooted-binary --enable-scp-compat --enable-winscp-compat
```

Make and make install both go smoothly.  I follow the documentation and change /etc/shells.

The next step was to create a user, so I used the supplied script "setup_chroot.sh:"

```
Next we need to set the home directory for this scponly user.

please note that the user's home directory MUST NOT be writeable

by the scponly user. this is important so that the scponly user

cannot subvert the .ssh configuration parameters.

for this reason, a writeable subdirectory will be created that

the scponly user can write into.

Username to install [scponly]

home directory you wish to set for this user [/home/scponly]

name of the writeable subdirectory [incoming]

creating  /home/scponly/incoming directory for uploading files

Your platform (Linux) does not have a platform specific setup script.

This install script will attempt a best guess.

If you perform customizations, please consider sending me your changes.

Look to the templates in build_extras/arch.

 - joe at sublimation dot org

please set the password for scponly:

New UNIX password: 

BAD PASSWORD: it is too short

Retype new UNIX password: 

passwd: password updated successfully

if you experience a warning with winscp regarding groups, please install

the provided hacked out fake groups program into your chroot, like so:

cp groups /home/scponly/bin/groups
```

The jail is built and all the files check out:

```
$ ls -al

total 28

drwxr-xr-x 7 root    root    4096 May 19 10:11 .

drwxr-xr-x 8 root    root    4096 May 19 10:10 ..

drwxr-xr-x 2 root    root    4096 May 19 10:11 bin

drwxr-xr-x 2 root    root    4096 May 19 10:11 etc

drwxr-xr-x 2 scponly scponly 4096 May 19 10:11 incoming

drwxr-xr-x 2 root    root    4096 May 19 10:11 lib

drwxr-xr-x 4 root    root    4096 May 19 10:10 usr
```

Now, when I try to do an scp, here's what I get:

```
$ scp -v TODO scponly@localhost:

Executing: program /usr/bin/ssh host localhost, user scponly, command scp -v -t .

OpenSSH_4.3p2, OpenSSL 0.9.7i 14 Oct 2005

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Connecting to localhost [127.0.0.1] port 22.

debug1: Connection established.

debug1: permanently_set_uid: 0/0

debug1: identity file /root/.ssh/identity type -1

debug1: identity file /root/.ssh/id_rsa type -1

debug1: identity file /root/.ssh/id_dsa type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3

debug1: match: OpenSSH_4.3 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_4.3

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host 'localhost' is known and matches the RSA host key.

debug1: Found key in /root/.ssh/known_hosts:2

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Trying private key: /root/.ssh/identity

debug1: Trying private key: /root/.ssh/id_rsa

debug1: Trying private key: /root/.ssh/id_dsa

debug1: Next authentication method: keyboard-interactive

Password: 

debug1: Authentication succeeded (keyboard-interactive).

debug1: channel 0: new [client-session]

debug1: Entering interactive session.

debug1: Sending command: scp -v -t .

debug1: client_input_channel_req: channel 0 rtype exit-status reply 0

Couldn't open /dev/null: No such file or directorydebug1: channel 0: free: client-session, nchannels 1

debug1: fd 0 clearing O_NONBLOCK

debug1: fd 1 clearing O_NONBLOCK

debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.1 seconds

debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0

debug1: Exit status 1

lost connection
```

Here's the connect log when I try Core FTP Lite, using SFTP/SSH:

```
erver version: SSH-2.0-OpenSSH_4.3

version: SSH-2.0-SSH-Local: Sep 23 2004 18:47:58

Using SSH protocol version 2

processing group exchange

processing key exchange

Host key fingerprint is:

ssh-rsa 2048 5d:5a:f2:6e:bd:a7:df:86:fe:e6:5d:16:82:f9:e8:3e

Initialized AES-256 client->server encryption

Initialized AES-256 server->client encryption

Access granted

Opened channel for session

Started shell session

Server sent command exit status 1

All channels closed. Disconnecting

Unable to initialize SFTP: ????4???t (sftp not enabled?) 

Can't establish connection --> vm-albert:22 @ Fri May 19 10:28:23 2006   (122-1)
```

Similarly, with sftp:

```
$ sftp -v scponly@localhost

Connecting to localhost...

OpenSSH_4.3p2, OpenSSL 0.9.7i 14 Oct 2005

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Connecting to localhost [127.0.0.1] port 22.

debug1: Connection established.

debug1: permanently_set_uid: 0/0

debug1: identity file /root/.ssh/id_rsa type -1

debug1: identity file /root/.ssh/id_dsa type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3

debug1: match: OpenSSH_4.3 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_4.3

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host 'localhost' is known and matches the RSA host key.

debug1: Found key in /root/.ssh/known_hosts:2

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Trying private key: /root/.ssh/id_rsa

debug1: Trying private key: /root/.ssh/id_dsa

debug1: Next authentication method: keyboard-interactive

Password: 

debug1: Authentication succeeded (keyboard-interactive).

debug1: channel 0: new [client-session]

debug1: Entering interactive session.

debug1: Sending subsystem: sftp

debug1: client_input_channel_req: channel 0 rtype exit-status reply 0

debug1: channel 0: free: client-session, nchannels 1

debug1: fd 0 clearing O_NONBLOCK

debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.1 seconds

debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0

debug1: Exit status 1

Connection closed
```

When I try using a regular shell (even /usr/local/bin/scponly) I can connect, but it's not rooting me.

Thoughts, or need more information?

Thanks in advance, much appreciated.Last edited by Kenu on Tue May 23, 2006 9:50 pm; edited 1 time in total

----------

## wippie

i have tried to get this working too, but without success..  :Crying or Very sad: 

but as from your scp log, you seem to be missing /dev/null in your chrooted system.

 *Quote:*   

> ...
> 
> Couldn't open /dev/null: No such file or directorydebug1: channel 0: free: client-session, nchannels 1
> 
> ...

 

try to create one with mknod and see what happends.

```
mkdir /your/chroot/dir/dev

mknod -m 666 /your/chroot/dir/dev/null c 1 3
```

if you get a chrooted scponly running, please tell us how you did it!

----------

## wippie

Just got a working chrooted scponlyc by creating a /dev/null in the chrooted dir with mknod  :Very Happy: 

A generic chrooted scponly-4.6 installation (for x86 systems) may be done with:

```
#echo "net-misc/scponly ~x86" >> /etc/portage/package.keywords

#emerge \=scponly-4.6

#emerge --config \=scponly-4.6

#mkdir /home/scponly/dev

#mknod -m 666 /home/scponly/dev/null c 1 3
```

'emerge --config' creates a (almost) working chroot'able dir in /home called scponly and also creates a scponly user and group.

you can then simply add users for sftp with

 *Quote:*   

> #useradd -g scponly -s /usr/sbin/scponlyc -d /home/scponly [username]

 

..but it doesn't seem like logging from the chrooted scponlyc works, at least not with metalog. might just be me who have forgotten something.

----------

## Kenu

Ah, thanks wippie - that seems to have fixed it.

Creating /chroot/dir/dev/null has made it work.

Now I have to get this working in our Solaris environment too, which is a whole new task altogether.

Thanks again!

----------

## Magic Michael

Is this a bug or a feature that we have to configure manually ? Shouldn't that be unnecessary when using an ebuild ?

```
sauger scponly-4.6-r1 # pwd

/usr/share/doc/scponly-4.6-r1

sauger scponly-4.6-r1 # sh setup_chroot.sh

grep: config.h: No such file or directory

your scponly build is not configured for chrooted operation.

please reconfigure as follows, then rebuild and reinstall:

./configure --enable-chrooted-binary (... other options)

sauger scponly-4.6-r1 # 
```

----------

## m27315

 *wippie wrote:*   

> ..but it doesn't seem like logging from the chrooted scponlyc works, at least not with metalog. might just be me who have forgotten something.

 

Did anybody ever get this working?

Incidentally, the 4.6-r1 build of scponly automatically created the /home/scponly jail environment, including the /home/scponly/dev/null node.  I didn't have to do anything but:

```
# echo "net-misc/scponly ~x86" >> /etc/portage/package.keywords

# emerge scponly

# emerge --config =net-misc/scponly-4.6-r1
```

And for each new user that was to use scponly, I did:

```
# useradd -g scponly -s /usr/sbin/scponlyc -d /home/scponly//home/NEWUSER NEWUSER
```

Everything else seems to work just fine -- except logging.  ... Which brings me back to my question -- Did anybody get scponly logging working with metalog?    :Smile: 

Thanks!

----------

## m27315

Well, I finally got scponly reporting to metalog.  Actually, it was already showing up in the "everything" log, but I wanted a separate log file for scponly, and I wanted to be emailed when someone used it. ... So, here's what I finally didAdded these lines to /etc/metalog.conf:

```
SCPONLY :

  program  = "scponly"

  logdir   = "/var/log/scponly"

  command  = "/usr/local/sbin/scponly_report.sh"
```

The program is the token placed in square brackets, if you look in your "everything" log file ([scponly]).  Of course, you can change the logdir if you like, but I wanted mine to be placed in a standard location.  The command to be executed upon a log entry, /usr/local/sbin/scponly_report.sh, is a custom script that emails me a notice whenever someone logs in, or transfers files.  

Create the command file, /usr/local/sbin/scponly_report.sh.  Here's its contents:

```
#!/bin/bash

echo "To: root

Subject:(I) SCPONLY

1 = $1

2 = $2

3 = $3

* = $*

" | /var/qmail/bin/qmail-inject -f root
```

Currently, all this program does is email me the arguments sent to the reporting command by metalog.  I haven't prettied it up yet by parsing and interpreting the arguments.  Maybe you could do that.   :Wink:   Also, I use qmail, so you will have to adjust the "sendmail" command if you are using something beside qmail.  In case you are interested, here is an anonymized sample email:

```
Subject: (I) SCPONLY

1 = Oct 11 22:09:17

2 = scponly

3 = running: /usr/lib/misc/sftp-server (username: MYUSERIDNAME(MYUSERIDNUMBER), IP/port: X.X.X.X Y Z)

* = Oct 11 22:09:17 scponly running: /usr/lib/misc/sftp-server (username: MYUSERIDNAME(MYUSERIDNUMBER), IP/port: X.X.X.X Y Z)
```

Where,

X.X.X.X = sender's IP address

Y = sender's port number (sport)

Z = destination port number (dport)

restart metalog

```
/etc/init.d/metalog restart
```

HTH

----------

## zomps

Another hint to this thread

remove nodev from fstab on that partition where chroot lies

wasted lot of time today debuging this  :Sad: 

----------

