Installing scponly is not difficult. It is not trivial either so I advise reading the instructions carefully. Keep in mind, you CAN use scponly as a setuid binary, which should warrant caution.
If you dont know what this step means, consult "man chroot". If you still dont understand this question, you should not use chroot() functionality. Go to the next step.
Otherwise, consider the following:
There are only a handful of options to configure scponly. Please consult the features and capabilities page for detailed information on all of them. For most installations, you will only need one or two, typically --enable-chrooted-binary.
This is the easy part, type "make".
Type "make install".
This will install your manpage and scponly binary/binaries.
If you have not already done so, add "scponly" to your /etc/shells file, including the full pathname. If you are using a chrooted scponly install, you should add "scponlyc", also including full pathname.
Use your system's adduser or pw command to create the user. Consult the documentation for those commands as neccesary.
Set the default shell to the full pathname of your scponly binary. If you want chroot functionality, the name of the shell is "scponlyc", otherwise it is "scponly".
This could look something like:
adduser -d /pub -s /usr/local/bin/scponly scpdemo
or for chrooted:
adduser -d /pub -s /usr/local/sbin/scponlyc scpdemo
Where the home directory is "/pub" and the username is "scpdemo".
It is very important that the user's home directory be unwritable by the user, as a writable homedir will make it possible for users to subvert scponly by modifying ssh configuration files.
If users complain about being unable to write into their homedir, there is a provision to specify both the chroot directory and a subdirectory of the chroot to chdir into:
Everything before the // is the directory to chroot into and everything after the // is the subdir to chdir into after chrooting.
Naturally, set the password for this user.
It is advisable to read the additional documentation on Buildings Jails.
You will need to install some directories, passwd files, libraries and binaries in your chroot path so that scponly has something to invoke when it comes time to execute the remote request.
I have added the script that performs most setup for chroot. You can run it with:
Please be aware that chroot installation varies WIDELY from system to system. check in the build_extras directory if make jail has failed you.
That's it, you're done!
Some operating systems (notably redhat 9), use a shell script for the groups command. Though groups is an allowable command, the "#!/bin/sh" interpreter specification at the beginning of this script will attempt to load /bin/sh, which is not available in the chrooted jail. This is only a problem when you are also using WinSCP compatibiliy, because WinSCP will attempt to run "groups" upon connection initialization.
You have three choices:
Installing scponly on an Debian 3.1(sarge) is no problem, after apt-get install scponly and choosing scponly or scponlyc option you only have to creat the users with the setup_chroot.sh file. But with Debian 4.0(Etch) you are running into Problems. So here is an solution that might help a bit:
1. Login on the shell aus root
2. Get the scponly package:
apt-get install scponly
3. Copy the setup_chroot.sh file from /usr/share/doc/scponly/setup_chroot/ to /root for easier access (in some cases the file is in the setup_chroot.sh.gz file)
4. Edit the config.h file in /usr/share/doc/scponly/setup_chroot
Choose the type of sconly you want to use. If you want scponlyc (no shell(ssh) connection for users but sftp is enabled) write scponlyc into the CHROOTED_NAME: #define CHROOTED_NAME "scponlyc" Save file and exit.
5. Run ./setup_chroot.sh and creat a user
Enter username, user_home_dir and user_working_dir (this has to be below the user_home_dir)
6. Write scponlyc to /etc/shells
which scponlyc >> /etc/shells
7. Set SUID-Bit for scponlyc
chmod u+s /usr/sbin/scponlyc
8. Creat dev dir
cd /home/username mkdir dev cd dev mknod -m 666 null c 1 3
For 64bit systems I found this Link: German Tutorial for use at 64Bit Debian 4.0 systems