Howto: Easy SFTP and chroot SFTP with Scponly

[epimeteo]

Hi everyone,

I was getting some problems to get scponly installed. I've searched through the forum, but didn't found any solution. Now I got it working, so I'm posting how I got Scponly installed and working.

Scponly for transferring files securely with ssh, but the user doesn't have a shell, so he only can transfer files. He cannot execute anything in the server.

There are 2 shells, one normal (scponly), that allows users to transfer files and see all the system files, but can't execute anything. The other one is scponlyc, the chroot version (the user is locked inside his home folder). Now here we go.

Install the scponly package in the server machine:

Code:

sudo apt-get install scponly

Normal SFTP

Change the shell of the user:

Code:

sudo chsh -s /usr/bin/scponly username

Test it from the remote machine:

Code:

sftp username@server

Painless

Chroot/Jail SFTP:

Reconfigure the scponly package so that scponlyc (the chroot version) is activated:

Code:

sudo dpkg-reconfigure -plow scponly

Answer "Yes". Now setup the chroot scponly user using the setup_chroot script included to do it. It can't be an existing user, and don't create him with adduser. He will be created by the setup_chroot script:

Code:

cd /usr/share/doc/scponly/setup_chroot
sudo gunzip setup_chroot.sh.gz
sudo chmod +x setup_chroot.sh
sudo ./setup_chroot.sh

To make this simpler, lets accept the default answers (scponly for username and home folder). At the end, create the password of scponly user.

Scponlyc has a "bug" and don't work out of the box (https://lists.ccs.neu.edu/pipermail/...er/001692.html). The message is about FreeBSD, but it happens in Linux/Ubuntu too, at least with me. You have to create /dev/null in scponly chroot home folder. Thanks to revertex, the right way to do this is:

Code:

sudo -i
cd /home/scponly

mkdir /home/scponly/dev 
mknod -m 666 /home/scponly/dev/null c 1 3

exit

Now test it from the remote computer:

Code:

sftp scponly@server

If you login, it worked. You only can upload files to the "incoming" folder. You can't leave scponly chroot jail, and you cannot execute anything from the server system.

From cypher35: This is very useful, because, by default, only the "incoming" folder of the home folder is writeable by the user. To make the "incoming" folder the default one for the uploads in the chroot/jail, edit the file /etc/passwd and change the home folder of the user(s), and add two slashes ("//") and the "incoming" directory name (in the following example, the "incoming" folder is named "default"):

Code:

 sftpguest:x:1001:1001::/home/sftpguest//default:/usr/sbin/scponlyc

This was suggested by revertex:

To provide access to files that are outside the scponly homedir root jail, bind mount option should be handy.

As example, supose you have a dir /mnt/stuff and want to provide access to a chrooted scponly user.


Code:

Code:

mkdir /home/scponly/stuff

mount -o bind /mnt/stuff /home/scponly/stuff

and to make this permanent, edit your /etc/fstab and add something like

Code:

Code:

 /mnt/stuff   /home/scponly/stuff   none   rw,bind   0 0

change rw,bind to ro,bind to read only access.

Tested in Ubuntu Feisty 7.04. I think it works on other versions with no or few changes.

I Hope this works for you to.

Edit 1, June 8th, 2007. Reason: added revertex suggestion for binding dir from outside chroot dir;
Edit 2, September 16th. Reason: added cypher35 tip to set the default directory/folder for a user;

[revertex]

Thank you a ton, i've spend a lot of time trying to figure why scponly connection close unexpected when logged.

Very nice tutorial, pretty clear and well writen, surelly deserves a place in ubuntu wiki.

i was close, but dunno why this do not worked

Code:

mkdir /home/scponly/dev 
mknod -m 666 /home/scponly/dev/null c 1 3

[epimeteo]

Your welcome, revertex. And thank you for your suggestion for creating de /dev/null device as it should. Edited and corrected

[revertex]

Another tip that may sould be useful,is to mount another dir inside scponly homedir.

Supose you want to provide access to files that are outside the scponly homedir root jail, bind mount option should be handy.

As example, supose you have a dir /mnt/stuff and want to provide access to a chrooted scponly user.

Code:

mkdir /home/scponly/stuff

mount -o bind /mnt/stuff /home/scponly/stuff

( jtc point me that ro option is useless here, only have use in /etc/fstab , thank you for enlightenment )

and to make this permanent, edit your /etc/fstab and add something like

Code:

/mnt/stuff   /home/scponly/stuff   none   rw,bind   0 0

change rw,bind to ro,bind to read only access

Cheers!

[jtc]

Are you sure

Code:

mount -o ro,bind ...

behave exactly the way you think it does?

[revertex]

Ops! sorry, my bad, ro does nothing as mount option, only works in /etc/fstab.

Thank's to point me my mistake. (i mean ignorance)

[epimeteo]

Quote:

Originally Posted by revertex Another tip that may sould be useful,is to mount another dir inside scponly homedir. Supose you want to provide access to files that are outside the scponly homedir root jail, bind mount option should be handy. As example, supose you have a dir /mnt/stuff and want to provide access to a chrooted scponly user. Code: mkdir /home/scponly/stuff mount -o bind /mnt/stuff /home/scponly/stuff ( jtc point me that ro option is useless here, only have use in /etc/fstab , thank you for enlightenment ) and to make this permanent, edit your /etc/fstab and add something like Code: /mnt/stuff /home/scponly/stuff none rw,bind 0 0 change rw,bind to ro,bind to read only access Cheers!

Edited and added. Thank you both.

[dwstevens]

I was wondering if anyone could take a look at my situtation here. I'm having a bit of trouble getting the chroot setup for sftp users. Our situation is a little complicated, as you'll see below. I've followed the directions to the letter here, including the setup of /dev/null, and just can't get sftp to connect. It authenticates fine, but when it goes to setup the sftp-server it exits and shows connection closed. I've even compiled the groups.c hack, with no luck. Any help would be greatly appreciated.

Here is dev/null in the scponly4 home directory:

root@XXXXX:/home2/scponly4# ll dev/null
crw-rw-rw- 1 root root 1, 3 2007-07-03 11:27 dev/null

Here is the directory structure created buy setup_chroot.sh:

root@XXXXX:/home2/scponly4# tree
.
|-- bin
| |-- chgrp
| |-- chmod
| |-- chown
| |-- echo
| |-- ln
| |-- ls
| |-- mkdir
| |-- mv
| |-- pwd
| |-- rm
| `-- rmdir
|-- dev
| `-- null
|-- etc
| `-- passwd
|-- incoming
|-- lib
| |-- ld.so
| |-- libacl.so.1
| |-- libattr.so.1
| |-- libc.so.6
| |-- libcom_err.so.2
| |-- libcrypt.so.1
| |-- libdl.so.2
| |-- libnsl.so.1
| |-- libnss_compat-2.5.so
| |-- libnss_compat.so.2
| |-- libpam.so.0
| |-- libpam_misc.so.0
| |-- libpopt.so.0
| |-- libpthread.so.0
| |-- libresolv.so.2
| |-- librt.so.1
| |-- libselinux.so.1
| |-- libsepol.so.1
| `-- libutil.so.1
`-- usr
|-- bin
| |-- groups
| |-- id
| |-- passwd
| |-- rsync
| `-- scp
`-- lib
|-- libcrypto.so.0.9.8
|-- libgssapi_krb5.so.2
|-- libk5crypto.so.3
|-- libkrb5.so.3
|-- libkrb5support.so.0
|-- libz.so.1
`-- sftp-server

8 directories, 44 files

Here is the /etc/passwd entry for scponly4 user:

scponly4:5004:5004::/home2/scponly4:/usr/sbin/scponlyc

Here is the auth log

Jul 3 11:31:02 XXXX sshd[27302]: Accepted password for scponly4 from 10.42.84.103 port 49805 ssh2
Jul 3 11:31:02 XXXX sshd[27306]: subsystem request for sftp
Jul 3 11:31:02 XXXX scponly[27307]: running: /usr/lib/sftp-server (username: scponly4(5004), IP/port: 10.42.84.103 49805 22)
Jul 3 11:31:02 XXXX scponly[27307]: failed: /usr/lib/sftp-server with error No such file or directory(2) (username: scponly4(5004), IP/port: 10.42.84.103 49805 22)

Here's the kernel:

2.6.20-15-generic #2 SMP Sun Apr 15 06:17:24 UTC 2007 x86_64 GNU/Linux

Here's the ubuntu release from /etc/issue:

Ubuntu 7.04


I can't figure out what sftp-server can't find. Any help would be appreciated. We are using PAM_LDAP to authenticate against an LDAP server, and our main home directory on each server is mounted over NFS. However that's why there is a /home2 directory that is local. Here is our pam conf just in case:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth sufficient pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass

root@XXXX:/etc/pam.d# more system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so

Thanks,

David

[revertex]

dumb question, is /etc/ssh/sshd_config properly configured?

maybe you you forgot to set "AllowUsers scponly4" in /etc/ssh/sshd_config

[dwstevens]

Quote:

Originally Posted by revertex dumb question, is /etc/ssh/sshd_config properly configured? maybe you you forgot to set "AllowUsers scponly4" in /etc/ssh/sshd_config

Thanks, I just checked, and it's set to use PAM, I am able to log in with sftp, ssh, scp with other users, but none that are chrooted.

root@XXXX:/etc/ssh# more sshd_config
# Package generated configuration file
# See the sshd( manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes