Ubuntu

Scponly-full broken on default Lucid install?

Reported by David Watson on 2010-10-29
34
This bug affects 7 people
Affects Status Importance Assigned to Milestone
scponly (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: scponly-full

The package scponly-full that allows chrooted scponly access appears to be broken on Lucid server.

Versions

$ lsb_release -rd
Description: Ubuntu 10.04.1 LTS
Release: 10.04

$ apt-cache policy scponly-full
scponly-full:
  Installed: 4.8-4
  Candidate: 4.8-4
  Version table:
 *** 4.8-4 0
        500 http://archive.ubuntu.com/ubuntu/ lucid/universe Packages
        100 /var/lib/dpkg/status

Steps To Reproduce

1) Download ubuntu-10.04-server-amd64.iso

2) Install vanilla installation using VM Workstation hands off installation / manual process

3) Log in and update to latest patches (sudo aptitude update ; sudo aptitude upgrade)

4) Install scponly-full package (sudo aptitude install scponly-full)

5) Set package up:

cd /usr/share/doc/scponly-full/setup_chroot
sudo gunzip setup_chroot.sh.gz
sudo chmod +x setup_chroot.sh

6) Create chrooted scp user:

sudo ./setup_chroot.sh

and select default options (username = "scponly", path="/home/scponly", incoming directory="incoming" ie just hit return each time)

set a password

7) Attempt to scp a file into the newly created chrooted scponly user's incoming directory:

scp testfile scponly@vmaddress:/incoming

receive this error:

$ scp testfile scponly@192.168.0.238:/incoming
scponly@192.168.0.238's password:
unknown user 1001
lost connection

The above steps work as expected on Karmic with the latest patches if you build from the lucid source package:

sudo vi /etc/apt/sources

# Lucid sources for scponly-full
deb-src http://archive.ubuntu.com/ubuntu lucid main restricted universe multiverse

sudo aptitude update
sudo apt-get build-dep scponly-full
sudo apt-get -b source -t lucid scponly-full
sudo aptitude purge scponly
sudo rm -rf /usr/share/doc/scponly
sudo dpkg -i scponly-full_4.8-4_amd64.deb
sudo dpkg-reconfigure -plow scponly-full
cd /usr/share/doc/scponly-full/setup_chroot
sudo gunzip setup_chroot.sh.gz
sudo chmod +x setup_chroot.sh
sudo ./setup_chroot.sh

Supporting Detail

Repeating step 7 whilst tailing /var/log/auth.log:

Oct 29 06:56:10 ubuntu sshd[23082]: Accepted password for scponly from 192.168.0.144 port 38968 ssh2
Oct 29 06:56:10 ubuntu sshd[23082]: pam_unix(sshd:session): session opened for user scponly by (uid=0)
Oct 29 06:56:10 ubuntu scponly[23098]: running: /usr/bin/scp -t /incomin (username: scponly(1001), IP/port: 192.168.0.144 38968 22)
Oct 29 06:56:10 ubuntu sshd[23097]: Received disconnect from 192.168.0.144: 11: disconnected by user
Oct 29 06:56:10 ubuntu sshd[23082]: pam_unix(sshd:session): session closed for user scponly

No errors logged.

8) Tried increasing debug level from 0 to 2 on the server for scponly:

sudo vi /etc/scponly/debuglevel
sudo /etc/init.d/ssh restart

Extra server log ouput:

sudo tail -f /var/log/auth.log

Oct 29 07:06:16 ubuntu sshd[1392]: Accepted password for scponly from 192.168.0.144 port 53769 ssh2
Oct 29 07:06:16 ubuntu sshd[1392]: pam_unix(sshd:session): session opened for user scponly by (uid=0)
Oct 29 07:06:16 ubuntu scponly[1408]: chrooted binary in place, will chroot()
Oct 29 07:06:16 ubuntu scponly[1408]: 3 arguments in total.
Oct 29 07:06:16 ubuntu scponly[1408]: #011arg 0 is scponlyc
Oct 29 07:06:16 ubuntu scponly[1408]: #011arg 1 is -c
Oct 29 07:06:16 ubuntu scponly[1408]: #011arg 2 is scp -t /incoming
Oct 29 07:06:16 ubuntu scponly[1408]: opened log at LOG_AUTHPRIV, opts 0x00000029
Oct 29 07:06:16 ubuntu scponly[1408]: determined USER is "scponly" from environment
Oct 29 07:06:16 ubuntu scponly[1408]: retrieved home directory of "/home/scponly" for user "scponly"
Oct 29 07:06:16 ubuntu scponly[1408]: chrooting to dir: "/home/scponly"
Oct 29 07:06:16 ubuntu scponly[1408]: chdiring to dir: "/"
Oct 29 07:06:16 ubuntu scponly[1408]: setting uid to 1001
Oct 29 07:06:16 ubuntu scponly[1408]: processing request: "scp -t /incoming"
Oct 29 07:06:16 ubuntu scponly[1408]: Using getopt processing for cmd /usr/bin/scp#012 (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
Oct 29 07:06:16 ubuntu scponly[1408]: getopt processing returned 't' (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
Oct 29 07:06:16 ubuntu scponly[1408]: Found "HOME" and setting it to "/home/scponly"
Oct 29 07:06:16 ubuntu scponly[1408]: Environment contains "HOME=/home/scponly"
Oct 29 07:06:16 ubuntu scponly[1408]: Looking for 'HOME=' in 'HOME=/home/scponly'
Oct 29 07:06:16 ubuntu scponly[1408]: 'HOME' env entry now reads 'HOME=/home/scponly'
Oct 29 07:06:16 ubuntu scponly[1408]: set non-chrooted HOME environment variable to /home/scponly (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
Oct 29 07:06:16 ubuntu scponly[1408]: running: /usr/bin/scp -t /incoming (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
Oct 29 07:06:16 ubuntu scponly[1408]: about to exec "/usr/bin/scp" (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
Oct 29 07:06:16 ubuntu sshd[1407]: Received disconnect from 192.168.0.144: 11: disconnected by user
Oct 29 07:06:16 ubuntu sshd[1392]: pam_unix(sshd:session): session closed for user scponly

and client:

david@monolith:~$ scp testfile scponly@192.168.0.238:/incoming
scponly@192.168.0.238's password:
scponly[1408]: chrooted binary in place, will chroot()
scponly[1408]: 3 arguments in total.
scponly[1408]: arg 0 is scponlyc
scponly[1408]: arg 1 is -c
scponly[1408]: arg 2 is scp -t /incoming
scponly[1408]: opened log at LOG_AUTHPRIV, opts 0x00000029
scponly[1408]: determined USER is "scponly" from environment
scponly[1408]: retrieved home directory of "/home/scponly" for user "scponly"
scponly[1408]: chrooting to dir: "/home/scponly"
scponly[1408]: chdiring to dir: "/"
scponly[1408]: setting uid to 1001
scponly[1408]: processing request: "scp -t /incoming"
scponly[1408]: Using getopt processing for cmd /usr/bin/scp
 (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
scponly[1408]: getopt processing returned 't' (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
scponly[1408]: Found "HOME" and setting it to "/home/scponly"
scponly[1408]: Environment contains "HOME=/home/scponly"
scponly[1408]: Looking for 'HOME=' in 'HOME=/home/scponly'
scponly[1408]: 'HOME' env entry now reads 'HOME=/home/scponly'
scponly[1408]: set non-chrooted HOME environment variable to /home/scponly (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
scponly[1408]: running: /usr/bin/scp -t /incoming (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
scponly[1408]: about to exec "/usr/bin/scp" (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
unknown user 1001
lost connection

So apparently no obviously useful extra information there.

The only potentially relevant existing information I could find on the net -> http://muzso.hu/2007/11/23/how-to-create-an-sftp-chroot-jail-easily-on-debian-with-scponly, but the chrooted scponly user already has a world readable password file with the correct details in
it:

/home/scponly/etc$ ls -l
total 8
-rw-r--r-- 1 root root 639 2010-10-29 06:31 group
-rw-r--r-- 1 root root 54 2010-10-29 06:31 passwd

/home/scponly/etc$ more passwd
scponly:x:1001:1001::/home/scponly:/usr/sbin/scponlyc

And the user also exists in the Ubuntu host's master password file:

$ grep 1001 /etc/passwd
scponly:x:1001:1001::/home/scponly:/usr/sbin/scponlyc

$ grep 1001 /etc/group
scponly:x:1001:

and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=353976 (closed with no real resolution)

Unless I'm doing something wrong, this seems to be a clearly reproducible bug that renders the scponly-full package unusable in the vanilla configuration on Lucid.

David Watson (david-watson) wrote :

Potential fix that works for me:

david@ubuntu:/usr/share/doc/scponly-full/setup_chroot$ diff setup_chroot.sh setup_chroot.sh.orig
98,102d97
< /bin/ls /lib/libnss_files* > /dev/null 2>&1
< if [ $? -eq 0 ]; then
< LIB_LIST="$LIB_LIST /lib/libnss_files*"
< fi
<

dahias (wengahias) wrote :

thanks Mr. Watson for the hint. These Files need to be inside the chrooted /lib dircetory.

hias@ubuntu:$ sudo cp /lib/libnss_files* -av /home/USER/lib/

`/lib/libnss_files-2.11.1.so' -> `/home/USER/lib/libnss_files-2.11.1.so'
`/lib/libnss_files.so.2' -> `/home/USER/lib/libnss_files.so.2'

After that things should work.

Download full text (8.3 KiB)

I have tried the suggested without success

my auth.log:
Jun 17 14:39:44 dns sshd[6278]: debug1: Forked child 6296.
Jun 17 14:39:44 dns sshd[6296]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Jun 17 14:39:44 dns sshd[6296]: debug1: inetd sockets after dupping: 3, 3
Jun 17 14:39:44 dns sshd[6296]: Connection from xxx port 51888
Jun 17 14:39:44 dns sshd[6296]: debug1: Client protocol version 2.0; client software version OpenSSH_5.8p1 Debian-1ubuntu3
Jun 17 14:39:44 dns sshd[6296]: debug1: match: OpenSSH_5.8p1 Debian-1ubuntu3 pat OpenSSH*
Jun 17 14:39:44 dns sshd[6296]: debug1: Enabling compatibility mode for protocol 2.0
Jun 17 14:39:44 dns sshd[6296]: debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
Jun 17 14:39:44 dns sshd[6296]: debug1: PAM: initializing for "scponly"
Jun 17 14:39:44 dns sshd[6296]: debug1: PAM: setting PAM_RHOST to "xxx"
Jun 17 14:39:44 dns sshd[6296]: debug1: PAM: setting PAM_TTY to "ssh"
Jun 17 14:39:44 dns sshd[6296]: Failed none for scponly from xxx port 51888 ssh2
Jun 17 14:39:44 dns sshd[6296]: debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
Jun 17 14:39:44 dns sshd[6296]: debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
Jun 17 14:39:44 dns sshd[6296]: debug1: temporarily_use_uid: 1005/1005 (e=0/0)
Jun 17 14:39:44 dns sshd[6296]: debug1: trying public key file /home/scponly/.ssh/authorized_keys
Jun 17 14:39:44 dns sshd[6296]: debug1: restore_uid: 0/0
Jun 17 14:39:44 dns sshd[6296]: debug1: temporarily_use_uid: 1005/1005 (e=0/0)
Jun 17 14:39:44 dns sshd[6296]: debug1: trying public key file /home/scponly/.ssh/authorized_keys2
Jun 17 14:39:44 dns sshd[6296]: debug1: restore_uid: 0/0
Jun 17 14:39:44 dns sshd[6296]: Failed publickey for scponly from xxx port 51888 ssh2
Jun 17 14:39:44 dns sshd[6296]: debug1: PAM: password authentication accepted for scponly
Jun 17 14:39:44 dns sshd[6296]: debug1: do_pam_account: called
Jun 17 14:39:44 dns sshd[6296]: Accepted password for scponly from xxx port 51888 ssh2
Jun 17 14:39:44 dns sshd[6296]: debug1: monitor_child_preauth: scponly has been authenticated by privileged process
Jun 17 14:39:44 dns sshd[6296]: debug1: PAM: establishing credentials
Jun 17 14:39:44 dns sshd[6296]: pam_unix(sshd:session): session opened for user scponly by (uid=0)
Jun 17 14:39:44 dns sshd[6296]: User child is on pid 6374
Jun 17 14:39:44 dns sshd[6374]: debug1: SELinux support disabled
Jun 17 14:39:44 dns sshd[6374]: debug1: PAM: establishing credentials
Jun 17 14:39:44 dns sshd[6374]: debug1: permanently_set_uid: 1005/1005
Jun 17 14:39:44 dns sshd[6374]: debug1: Entering interactive session for SSH2.
Jun 17 14:39:44 dns sshd[6374]: debug1: server_init_dispatch_20
Jun 17 14:39:44 dns sshd[6374]: debug1: server_input_channel_open: ctype session rchan 0 win 2097152 max 32768
Jun 17 14:39:44 dns sshd[6374]: debug1: input_session_request
Jun 17 14:39:44 dns sshd[6374]: debug1: channel 0: new [server-session]
Jun 17 14:39:44 dns sshd[6374]: debug1: session_new: session 0
Jun 17 14:39:44 dns sshd[6374]: debug1: session_open: channel 0
Jun 17 14:39:44 dns sshd[6374]: debug1: session_open: session 0: link with channel 0
Jun 17 14:39:44 dns sshd[6374]: d...

Read more...

Changed in scponly (Ubuntu):
status: New → Confirmed
Indie (alanlitster) wrote :

This bug still exists under Natty and now the files are in a different location. I found that I had to run the following command after setup_chroot.sh to correctly setup the chroot environment.

$ sudo cp -av /lib/i386-linux-gnu/libnss_files* /home/scponly/lib/i386-linux-gnu/

The supplied script tries to copy libnss_compat* from /lib which doesn't exist under Natty.

/bin/ls /lib/libnss_compat* > /dev/null 2>&1
if [ $? -eq 0 ]; then
        LIB_LIST="$LIB_LIST /lib/libnss_compat*"
fi

Phillip Susi (psusi) wrote :

This package has been removed from Ubuntu. Closing all related bugs.

Changed in scponly (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers