# [solved] scponly chroot problem - PAM user account expired

## noclear2000

hi

i tried to install scponly to chroot some users into their homedir allowing scp/sftp access only (no shell).

what i did:

1. emerge scponly ( 4.8 )

2. emerge --config =net-misc/scponly-4.8 (to setup the chroot)

3. add a user: useradd -g scponly -s /usr/sbin/scponlyc -d /home/scponly//home/<username> <username>

4. passwd <username>

lines in /etc/passwd:

scponly:x:102:1007:scponly user:/home/scponly//:/usr/sbin/scponlyc

<username> : x :1005:1008::/home/scponly//home/<username>:/usr/sbin/scponlyc

lines in /etc/shadow:

scponly::14223:0:99999:7:::

<username>:$1$9Vzvu//n$OchVPZ6DMzM801t6Pja60.:14227:0:99999:7:::

In /etc/ssh/ssh/sshd_config

UsePrivilegeSeparation no (read somewhere that's required for chrooting..?)

When i try to login from a windows box using wscp:

```

Dec 14 22:01:16 treehouse-sss sshd[28503]: pam_access(sshd:account): access denied for user `<username>' from `<hostname>'

Dec 14 22:01:16 treehouse-sss sshd[28503]: pam_access(sshd:account): access denied for user `<username>' from `<hostname>'

Dec 14 22:01:16 treehouse-sss sshd[28502]: error: PAM: User account has expired for <username> from <hostname>

Dec 14 22:01:16 treehouse-sss sshd[28502]: Failed keyboard-interactive for <username> from <ip> port 63282 ssh2

Dec 14 22: Received disconnect from <ip>: 11: No supported authentication methods available

```

i am not sure whether "the permission denied" is the real problem and the PAM msg is just a result of that or if they are two different errors..

the account is NOT expired

```

chage -l <username>

Last password change                                    : Dec 14, 2008

Password expires                                        : never

Password inactive                                       : never

Account expires                                         : never

Minimum number of days between password change          : 0

Maximum number of days between password change          : 99999

Number of days of warning before password expires       : 7

```

The permissions:

in and to /home/scponly/* the permissions are a set by emerge --config (see above).

in /home/scponly i created directory home:

drwxr-xr-x 3 root    root    4.0K Dec 12 14:57 home

in that /home/scponly/home/ there is the directory <username>

drw---x--x 6 <username>  <username> 4.0K Dec 12 14:57 <username>

Any ideas? Thanks a lot in advance.  :Very Happy: Last edited by noclear2000 on Mon Dec 15, 2008 10:15 am; edited 1 time in total

----------

## noclear2000

oh stupid me!!! if <username> is rejected by /etc/security/access.conf that cannot work. in the list of allwoed users i forgot to insert that username. Argh!

after that i was nearly there.

but i had to

1. Add these two lines to the ebuild (below --with-sftp-server="/usr/$(get_libdir)/misc/sftp-server" \)

+     --enable-scp-compat \

+     --enable-winscp-compat \

2. ebuild scponly-4.8 manifest

3. reemerge scponly

4. after permission issues and unknow uid 1005: cat /etc/passwd | grep <username> >> /home/scponly/etc/passwd

5. chmod 660 /home/scponly/home/<username>/ -R

6. chmod ugo+X /home/scponly/home/<username>/ -R

now it works  :Smile: 

docuemented my stupidness here because i hope it might help s/o out there  :Very Happy: 

EDIT: and added the modified ebuild to an local overlay

----------

## desultory

Try using net-misc/scponly-4.8-r1 with the scp and winscp USE flags enabled, that should alleviate the need for maintaining a version in your local overlay.

----------

## noclear2000

ah. thanks for that great hint! but what's that passwd useflag for? [Local: Enables passwd compatibility] What is that about?

EDIT: and another question. when i update to rc1 the users are thrown into / (chrooted /home/scponly) on login instead of /home/<username> (/home/scponly/home/<username>). downgrade and the are chdired into their writable subdirs.

passwd entries look like:

<username> :Mad: :1005:1008::/home/scponly//home/<username>:/usr/sbin/scponlyc

where in the homedir path (/home/scponly//home/<username>) everthiny before // stands for the folder to chroot into and that after // for the dir where to cd into when the user logs in. Works with 4.8, not with 4.8-r1.

What am i doing wrong?

----------

