Ubuntu
scponly package

Scponly-full broken on default Lucid install?

Bug #668366 reported by David Watson on 2010-10-29

This bug affects 7 people

Affects		Status	Importance	Assigned to	Milestone
	scponly (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

Binary package hint: scponly-full

The package scponly-full that allows chrooted scponly access appears to be broken on Lucid server.

Versions

$ lsb_release -rd
Description: Ubuntu 10.04.1 LTS
Release: 10.04

$ apt-cache policy scponly-full
scponly-full:
  Installed: 4.8-4
  Candidate: 4.8-4
  Version table:
*** 4.8-4 0
        500 http://archive.ubuntu.com/ubuntu/ lucid/universe Packages
        100 /var/lib/dpkg/status

Steps To Reproduce

1) Download ubuntu-10.04-server-amd64.iso

2) Install vanilla installation using VM Workstation hands off installation / manual process

3) Log in and update to latest patches (sudo aptitude update ; sudo aptitude upgrade)

4) Install scponly-full package (sudo aptitude install scponly-full)

5) Set package up:

cd /usr/share/doc/scponly-full/setup_chroot
sudo gunzip setup_chroot.sh.gz
sudo chmod +x setup_chroot.sh

6) Create chrooted scp user:

sudo ./setup_chroot.sh

and select default options (username = "scponly", path="/home/scponly", incoming directory="incoming" ie just hit return each time)

set a password

7) Attempt to scp a file into the newly created chrooted scponly user's incoming directory:

scp testfile scponly@vmaddress:/incoming

receive this error:

$ scp testfile scponly@192.168.0.238:/incoming
scponly@192.168.0.238's password:
unknown user 1001
lost connection

The above steps work as expected on Karmic with the latest patches if you build from the lucid source package:

sudo vi /etc/apt/sources

# Lucid sources for scponly-full
deb-src http://archive.ubuntu.com/ubuntu lucid main restricted universe multiverse

sudo aptitude update
sudo apt-get build-dep scponly-full
sudo apt-get -b source -t lucid scponly-full
sudo aptitude purge scponly
sudo rm -rf /usr/share/doc/scponly
sudo dpkg -i scponly-full_4.8-4_amd64.deb
sudo dpkg-reconfigure -plow scponly-full
cd /usr/share/doc/scponly-full/setup_chroot
sudo gunzip setup_chroot.sh.gz
sudo chmod +x setup_chroot.sh
sudo ./setup_chroot.sh

Supporting Detail

Repeating step 7 whilst tailing /var/log/auth.log:

Oct 29 06:56:10 ubuntu sshd[23082]: Accepted password for scponly from 192.168.0.144 port 38968 ssh2
Oct 29 06:56:10 ubuntu sshd[23082]: pam_unix(sshd:session): session opened for user scponly by (uid=0)
Oct 29 06:56:10 ubuntu scponly[23098]: running: /usr/bin/scp -t /incomin (username: scponly(1001), IP/port: 192.168.0.144 38968 22)
Oct 29 06:56:10 ubuntu sshd[23097]: Received disconnect from 192.168.0.144: 11: disconnected by user
Oct 29 06:56:10 ubuntu sshd[23082]: pam_unix(sshd:session): session closed for user scponly

No errors logged.

8) Tried increasing debug level from 0 to 2 on the server for scponly:

sudo vi /etc/scponly/debuglevel
sudo /etc/init.d/ssh restart

Extra server log ouput:

sudo tail -f /var/log/auth.log

Oct 29 07:06:16 ubuntu sshd[1392]: Accepted password for scponly from 192.168.0.144 port 53769 ssh2
Oct 29 07:06:16 ubuntu sshd[1392]: pam_unix(sshd:session): session opened for user scponly by (uid=0)
Oct 29 07:06:16 ubuntu scponly[1408]: chrooted binary in place, will chroot()
Oct 29 07:06:16 ubuntu scponly[1408]: 3 arguments in total.
Oct 29 07:06:16 ubuntu scponly[1408]: #011arg 0 is scponlyc
Oct 29 07:06:16 ubuntu scponly[1408]: #011arg 1 is -c
Oct 29 07:06:16 ubuntu scponly[1408]: #011arg 2 is scp -t /incoming
Oct 29 07:06:16 ubuntu scponly[1408]: opened log at LOG_AUTHPRIV, opts 0x00000029
Oct 29 07:06:16 ubuntu scponly[1408]: determined USER is "scponly" from environment
Oct 29 07:06:16 ubuntu scponly[1408]: retrieved home directory of "/home/scponly" for user "scponly"
Oct 29 07:06:16 ubuntu scponly[1408]: chrooting to dir: "/home/scponly"
Oct 29 07:06:16 ubuntu scponly[1408]: chdiring to dir: "/"
Oct 29 07:06:16 ubuntu scponly[1408]: setting uid to 1001
Oct 29 07:06:16 ubuntu scponly[1408]: processing request: "scp -t /incoming"
Oct 29 07:06:16 ubuntu scponly[1408]: Using getopt processing for cmd /usr/bin/scp#012 (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
Oct 29 07:06:16 ubuntu scponly[1408]: getopt processing returned 't' (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
Oct 29 07:06:16 ubuntu scponly[1408]: Found "HOME" and setting it to "/home/scponly"
Oct 29 07:06:16 ubuntu scponly[1408]: Environment contains "HOME=/home/scponly"
Oct 29 07:06:16 ubuntu scponly[1408]: Looking for 'HOME=' in 'HOME=/home/scponly'
Oct 29 07:06:16 ubuntu scponly[1408]: 'HOME' env entry now reads 'HOME=/home/scponly'
Oct 29 07:06:16 ubuntu scponly[1408]: set non-chrooted HOME environment variable to /home/scponly (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
Oct 29 07:06:16 ubuntu scponly[1408]: running: /usr/bin/scp -t /incoming (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
Oct 29 07:06:16 ubuntu scponly[1408]: about to exec "/usr/bin/scp" (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
Oct 29 07:06:16 ubuntu sshd[1407]: Received disconnect from 192.168.0.144: 11: disconnected by user
Oct 29 07:06:16 ubuntu sshd[1392]: pam_unix(sshd:session): session closed for user scponly

and client:

david@monolith:~$ scp testfile scponly@192.168.0.238:/incoming
scponly@192.168.0.238's password:
scponly[1408]: chrooted binary in place, will chroot()
scponly[1408]: 3 arguments in total.
scponly[1408]: arg 0 is scponlyc
scponly[1408]: arg 1 is -c
scponly[1408]: arg 2 is scp -t /incoming
scponly[1408]: opened log at LOG_AUTHPRIV, opts 0x00000029
scponly[1408]: determined USER is "scponly" from environment
scponly[1408]: retrieved home directory of "/home/scponly" for user "scponly"
scponly[1408]: chrooting to dir: "/home/scponly"
scponly[1408]: chdiring to dir: "/"
scponly[1408]: setting uid to 1001
scponly[1408]: processing request: "scp -t /incoming"
scponly[1408]: Using getopt processing for cmd /usr/bin/scp
(username: scponly(1001), IP/port: 192.168.0.144 53769 22)
scponly[1408]: getopt processing returned 't' (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
scponly[1408]: Found "HOME" and setting it to "/home/scponly"
scponly[1408]: Environment contains "HOME=/home/scponly"
scponly[1408]: Looking for 'HOME=' in 'HOME=/home/scponly'
scponly[1408]: 'HOME' env entry now reads 'HOME=/home/scponly'
scponly[1408]: set non-chrooted HOME environment variable to /home/scponly (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
scponly[1408]: running: /usr/bin/scp -t /incoming (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
scponly[1408]: about to exec "/usr/bin/scp" (username: scponly(1001), IP/port: 192.168.0.144 53769 22)
unknown user 1001
lost connection

So apparently no obviously useful extra information there.

The only potentially relevant existing information I could find on the net -> http://muzso.hu/2007/11/23/how-to-create-an-sftp-chroot-jail-easily-on-debian-with-scponly, but the chrooted scponly user already has a world readable password file with the correct details in
it:

/home/scponly/etc$ ls -l
total 8
-rw-r--r-- 1 root root 639 2010-10-29 06:31 group
-rw-r--r-- 1 root root 54 2010-10-29 06:31 passwd

/home/scponly/etc$ more passwd
scponly:x:1001:1001::/home/scponly:/usr/sbin/scponlyc

And the user also exists in the Ubuntu host's master password file:

$ grep 1001 /etc/passwd
scponly:x:1001:1001::/home/scponly:/usr/sbin/scponlyc

$ grep 1001 /etc/group
scponly:x:1001:

and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=353976 (closed with no real resolution)

Unless I'm doing something wrong, this seems to be a clearly reproducible bug that renders the scponly-full package unusable in the vanilla configuration on Lucid.

Revision history for this message

David Watson (david-watson) wrote on 2010-10-29:

Potential fix that works for me:

david@ubuntu:/usr/share/doc/scponly-full/setup_chroot$ diff setup_chroot.sh setup_chroot.sh.orig
98,102d97
< /bin/ls /lib/libnss_files* > /dev/null 2>&1
< if [ $? -eq 0 ]; then
< LIB_LIST="$LIB_LIST /lib/libnss_files*"
< fi
<

Revision history for this message

dahias (wengahias) wrote on 2011-01-28:

thanks Mr. Watson for the hint. These Files need to be inside the chrooted /lib dircetory.

hias@ubuntu:$ sudo cp /lib/libnss_files* -av /home/USER/lib/

`/lib/libnss_files-2.11.1.so' -> `/home/USER/lib/libnss_files-2.11.1.so'
`/lib/libnss_files.so.2' -> `/home/USER/lib/libnss_files.so.2'

After that things should work.

Revision history for this message

claus westerkamp (claus-westerkamp) wrote on 2011-06-17:

Download full text (8.3 KiB)

I have tried the suggested without success

I have tried the suggested without success

my auth.log:
Jun 17 14:39:44 dns sshd[6278]: debug1: Forked child 6296.
Jun 17 14:39:44 dns sshd[6296]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Jun 17 14:39:44 dns sshd[6296]: debug1: inetd sockets after dupping: 3, 3
Jun 17 14:39:44 dns sshd[6296]: Connection from xxx port 51888
Jun 17 14:39:44 dns sshd[6296]: debug1: Client protocol version 2.0; client software version OpenSSH_5.8p1 Debian-1ubuntu3
Jun 17 14:39:44 dns sshd[6296]: debug1: match: OpenSSH_5.8p1 Debian-1ubuntu3 pat OpenSSH*
Jun 17 14:39:44 dns sshd[6296]: debug1: Enabling compatibility mode for protocol 2.0
Jun 17 14:39:44 dns sshd[6296]: debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6
Jun 17 14:39:44 dns sshd[6296]: debug1: PAM: initializing for "scponly"
Jun 17 14:39:44 dns sshd[6296]: debug1: PAM: setting PAM_RHOST to "xxx"
Jun 17 14:39:44 dns sshd[6296]: debug1: PAM: setting PAM_TTY to "ssh"
Jun 17 14:39:44 dns sshd[6296]: Failed none for scponly from xxx port 51888 ssh2
Jun 17 14:39:44 dns sshd[6296]: debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
Jun 17 14:39:44 dns sshd[6296]: debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
Jun 17 14:39:44 dns sshd[6296]: debug1: temporarily_use_uid: 1005/1005 (e=0/0)
Jun 17 14:39:44 dns sshd[6296]: debug1: trying public key file /home/scponly/.ssh/authorized_keys
Jun 17 14:39:44 dns sshd[6296]: debug1: restore_uid: 0/0
Jun 17 14:39:44 dns sshd[6296]: debug1: temporarily_use_uid: 1005/1005 (e=0/0)
Jun 17 14:39:44 dns sshd[6296]: debug1: trying public key file /home/scponly/.ssh/authorized_keys2
Jun 17 14:39:44 dns sshd[6296]: debug1: restore_uid: 0/0
Jun 17 14:39:44 dns sshd[6296]: Failed publickey for scponly from xxx port 51888 ssh2
Jun 17 14:39:44 dns sshd[6296]: debug1: PAM: password authentication accepted for scponly
Jun 17 14:39:44 dns sshd[6296]: debug1: do_pam_account: called
Jun 17 14:39:44 dns sshd[6296]: Accepted password for scponly from xxx port 51888 ssh2
Jun 17 14:39:44 dns sshd[6296]: debug1: monitor_child_preauth: scponly has been authenticated by privileged process
Jun 17 14:39:44 dns sshd[6296]: debug1: PAM: establishing credentials
Jun 17 14:39:44 dns sshd[6296]: pam_unix(sshd:session): session opened for user scponly by (uid=0)
Jun 17 14:39:44 dns sshd[6296]: User child is on pid 6374
Jun 17 14:39:44 dns sshd[6374]: debug1: SELinux support disabled
Jun 17 14:39:44 dns sshd[6374]: debug1: PAM: establishing credentials
Jun 17 14:39:44 dns sshd[6374]: debug1: permanently_set_uid: 1005/1005
Jun 17 14:39:44 dns sshd[6374]: debug1: Entering interactive session for SSH2.
Jun 17 14:39:44 dns sshd[6374]: debug1: server_init_dispatch_20
Jun 17 14:39:44 dns sshd[6374]: debug1: server_input_channel_open: ctype session rchan 0 win 2097152 max 32768
Jun 17 14:39:44 dns sshd[6374]: debug1: input_session_request
Jun 17 14:39:44 dns sshd[6374]: debug1: channel 0: new [server-session]
Jun 17 14:39:44 dns sshd[6374]: debug1: session_new: session 0
Jun 17 14:39:44 dns sshd[6374]: debug1: session_open: channel 0
Jun 17 14:39:44 dns sshd[6374]: debug1: session_open: session 0: link with channel 0
Jun 17 14:39:44 dns sshd[6374]: debug1: server_input_channel_open: confirm session
Jun 17 14:39:44 dns sshd[6374]: debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0
Jun 17 14:39:44 dns sshd[6374]: debug1: server_input_channel_req: channel 0 request env reply 0
Jun 17 14:39:44 dns sshd[6374]: debug1: session_by_channel: session 0 channel 0
Jun 17 14:39:44 dns sshd[6374]: debug1: session_input_channel_req: session 0 req env
Jun 17 14:39:44 dns sshd[6374]: debug1: server_input_channel_req: channel 0 request subsystem reply 1
Jun 17 14:39:44 dns sshd[6374]: debug1: session_by_channel: session 0 channel 0
Jun 17 14:39:44 dns sshd[6374]: debug1: session_input_channel_req: session 0 req subsystem
Jun 17 14:39:44 dns sshd[6374]: subsystem request for sftp
Jun 17 14:39:44 dns sshd[6374]: debug1: subsystem: exec() /usr/lib/openssh/sftp-server
Jun 17 14:39:44 dns sshd[6374]: debug1: Received SIGCHLD.
Jun 17 14:39:44 dns sshd[6374]: debug1: session_by_pid: pid 6375
Jun 17 14:39:44 dns sshd[6374]: debug1: session_exit_message: session 0 channel 0 pid 6375
Jun 17 14:39:44 dns sshd[6374]: debug1: session_exit_message: release channel 0
Jun 17 14:39:44 dns sshd[6374]: Received disconnect from xxx: 11: disconnected by user
Jun 17 14:39:44 dns sshd[6374]: debug1: do_cleanup
Jun 17 14:39:44 dns sshd[6296]: debug1: do_cleanup
Jun 17 14:39:44 dns sshd[6296]: debug1: PAM: cleanup
Jun 17 14:39:44 dns sshd[6296]: debug1: PAM: closing session
Jun 17 14:39:44 dns sshd[6296]: pam_unix(sshd:session): session closed for user scponly
Jun 17 14:39:44 dns sshd[6296]: debug1: PAM: deleting credentials

ls -alR /home/scponly/
/home/scponly/:
total 4
drwxr-xr-x 9 root root 83 2011-06-17 14:35 .
drwxr-xr-x 10 root root 120 2011-06-17 14:16 ..
drwxr-xr-x 2 root root 123 2011-06-17 14:35 bin
drwxr-xr-x 2 root root 17 2011-06-17 14:35 dev
drwxr-xr-x 2 root root 31 2011-06-17 14:35 etc
drwxr-xr-x 2 scponly scponly 6 2011-06-17 14:35 incoming
drwxr-xr-x 2 root root 4096 2011-06-17 14:36 lib
drwxr-xr-x 2 root root 33 2011-06-17 14:35 lib64
drwxr-xr-x 4 root root 26 2011-06-17 14:35 usr

/home/scponly/bin:
total 680
drwxr-xr-x 2 root root 123 2011-06-17 14:35 .
drwxr-xr-x 9 root root 83 2011-06-17 14:35 ..
-rwxr-xr-x 1 root root 64128 2011-06-17 14:35 chgrp
-rwxr-xr-x 1 root root 60000 2011-06-17 14:35 chmod
-rwxr-xr-x 1 root root 64144 2011-06-17 14:35 chown
-rwxr-xr-x 1 root root 39328 2011-06-17 14:35 echo
-rwxr-xr-x 1 root root 55912 2011-06-17 14:35 ln
-rwxr-xr-x 1 root root 114032 2011-06-17 14:35 ls
-rwxr-xr-x 1 root root 43600 2011-06-17 14:35 mkdir
-rwxr-xr-x 1 root root 97352 2011-06-17 14:35 mv
-rwxr-xr-x 1 root root 39472 2011-06-17 14:35 pwd
-rwxr-xr-x 1 root root 64208 2011-06-17 14:35 rm
-rwxr-xr-x 1 root root 39392 2011-06-17 14:35 rmdir

/home/scponly/dev:
total 0
drwxr-xr-x 2 root root 17 2011-06-17 14:35 .
drwxr-xr-x 9 root root 83 2011-06-17 14:35 ..
crw-rw-rw- 1 root root 1, 3 2011-06-17 14:35 null

/home/scponly/etc:
total 8
drwxr-xr-x 2 root root 31 2011-06-17 14:35 .
drwxr-xr-x 9 root root 83 2011-06-17 14:35 ..
-rw-r--r-- 1 root root 881 2011-06-17 14:35 group
-rw-r--r-- 1 root root 54 2011-06-17 14:35 passwd

/home/scponly/incoming:
total 0
drwxr-xr-x 2 scponly scponly 6 2011-06-17 14:35 .
drwxr-xr-x 9 root root 83 2011-06-17 14:35 ..

/home/scponly/lib:
total 2296
drwxr-xr-x 2 root root 4096 2011-06-17 14:36 .
drwxr-xr-x 9 root root 83 2011-06-17 14:35 ..
-rwxr-xr-x 1 root root 118060 2011-06-17 14:35 ld-linux.so.2
-rwxr-xr-x 1 root root 31208 2011-06-17 14:35 libacl.so.1
-rwxr-xr-x 1 root root 18704 2011-06-17 14:35 libattr.so.1
-rwxr-xr-x 1 root root 43296 2011-06-17 14:35 libcrypt.so.1
-rwxr-xr-x 1 root root 1572232 2011-06-17 14:35 libc.so.6
-rwxr-xr-x 1 root root 14696 2011-06-17 14:35 libdl.so.2
-rwxr-xr-x 1 root root 35712 2011-06-17 14:35 libnss_compat-2.11.1.so
-rwxr-xr-x 1 root root 35712 2011-06-17 14:35 libnss_compat.so.2
-rw-r--r-- 1 root root 51712 2011-06-17 14:36 libnss_files-2.11.1.so
-rw-r--r-- 1 root root 51712 2011-06-17 14:36 libnss_files.so.2
-rwxr-xr-x 1 root root 14576 2011-06-17 14:35 libpam_misc.so.0
-rwxr-xr-x 1 root root 51776 2011-06-17 14:35 libpam.so.0
-rwxr-xr-x 1 root root 135745 2011-06-17 14:35 libpthread.so.0
-rwxr-xr-x 1 root root 31744 2011-06-17 14:35 librt.so.1
-rwxr-xr-x 1 root root 117592 2011-06-17 14:35 libselinux.so.1

/home/scponly/lib64:
total 136
drwxr-xr-x 2 root root 33 2011-06-17 14:35 .
drwxr-xr-x 9 root root 83 2011-06-17 14:35 ..
-rwxr-xr-x 1 root root 136936 2011-06-17 14:35 ld-linux-x86-64.so.2

/home/scponly/usr:
total 0
drwxr-xr-x 4 root root 26 2011-06-17 14:35 .
drwxr-xr-x 9 root root 83 2011-06-17 14:35 ..
drwxr-xr-x 2 root root 51 2011-06-17 14:35 bin
drwxr-xr-x 2 root root 24 2011-06-17 14:35 lib

/home/scponly/usr/bin:
total 184
drwxr-xr-x 2 root root 51 2011-06-17 14:35 .
drwxr-xr-x 4 root root 26 2011-06-17 14:35 ..
-rwxr-xr-x 1 root root 39392 2011-06-17 14:35 groups
-rwxr-xr-x 1 root root 39440 2011-06-17 14:35 id
-rwxr-xr-x 1 root root 42856 2011-06-17 14:35 passwd
-rwxr-xr-x 1 root root 59528 2011-06-17 14:35 scp

/home/scponly/usr/lib:
total 56
drwxr-xr-x 2 root root 24 2011-06-17 14:35 .
drwxr-xr-x 4 root root 26 2011-06-17 14:35 ..
-rwxr-xr-x 1 root root 55424 2011-06-17 14:35 sftp-server

any ideas?

Launchpad Janitor (janitor) on 2011-07-25

Changed in scponly (Ubuntu):
status:	New → Confirmed

Revision history for this message

Indie (alanlitster) wrote on 2011-07-25:

This bug still exists under Natty and now the files are in a different location. I found that I had to run the following command after setup_chroot.sh to correctly setup the chroot environment.

$ sudo cp -av /lib/i386-linux-gnu/libnss_files* /home/scponly/lib/i386-linux-gnu/

The supplied script tries to copy libnss_compat* from /lib which doesn't exist under Natty.

/bin/ls /lib/libnss_compat* > /dev/null 2>&1
if [ $? -eq 0 ]; then
LIB_LIST="$LIB_LIST /lib/libnss_compat*"
fi

Revision history for this message

Phillip Susi (psusi) wrote on 2013-05-14:

This package has been removed from Ubuntu. Closing all related bugs.

Changed in scponly (Ubuntu):
status:	Confirmed → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuscponly package

Scponly-full broken on default Lucid install?

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
scponly package