Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Install

boblaublaw edited this page · 1 revision

Installing scponly is not difficult. It is not trivial either so I advise reading the instructions carefully. Keep in mind, you CAN use scponly as a setuid binary, which should warrant caution.

Table of Contents

Decide If You Want To Use The chroot() Functionality

If you dont know what this step means, consult "man chroot". If you still dont understand this question, you should not use chroot() functionality. Go to the next step.

Otherwise, consider the following:

  • If you do use chroot(), your binary will need to be setuid. This should make any security conscious administrator wary.
  • Also consider that scponly will only execute AFTER sshd has authenticated the remote user. Given this, you should be able to rest a little easier knowing that utilizing scponly will not open you up to impersonal vulnerability subnet scans.
  • If you are still unsure, read the code. There is a seteuid() function call that ensures that the execution of any commands is never done with an effective uid of 0.
  • scponly will check the permissions of the directory it is about to chroot into unless --disable-chroot-checkdir is used at confiuration time. This is to prevent chroot-ing into a user writable directory.
  • Lastly, I make no guarantees that this code is unexploitable. Any system administrator utilizing scponly bears the full responsibility for maintaining a secure system.
  • Without chroot() functionality, scponly still functions just fine. However, most all files on any root filesystem for any default installation are globally readable.
  • installing scponly with chroot could incur some pretty hairy troubleshooting. The binaries and libraries must be set up properly in the chroot subdirectories properly.

Configure Your Installation

There are only a handful of options to configure scponly. Please consult the features and capabilities page for detailed information on all of them. For most installations, you will only need one or two, typically --enable-chrooted-binary.

Build The Binaries

This is the easy part, type "make".

Install The Binaries

Type "make install".

This will install your manpage and scponly binary/binaries.

Edit /etc/shells

If you have not already done so, add "scponly" to your /etc/shells file, including the full pathname. If you are using a chrooted scponly install, you should add "scponlyc", also including full pathname.

Create/Edit A User

Use your system's adduser or pw command to create the user. Consult the documentation for those commands as neccesary.

Set the default shell to the full pathname of your scponly binary. If you want chroot functionality, the name of the shell is "scponlyc", otherwise it is "scponly".

This could look something like:

                adduser -d /pub -s /usr/local/bin/scponly scpdemo

or for chrooted:

                adduser -d /pub -s /usr/local/sbin/scponlyc scpdemo

Where the home directory is "/pub" and the username is "scpdemo".

It is very important that the user's home directory be unwritable by the user, as a writable homedir will make it possible for users to subvert scponly by modifying ssh configuration files.

If users complain about being unable to write into their homedir, there is a provision to specify both the chroot directory and a subdirectory of the chroot to chdir into:

        /home/userchroot//writable/subdir

Everything before the // is the directory to chroot into and everything after the // is the subdir to chdir into after chrooting.

Naturally, set the password for this user.

Additional chroot Specific Steps

It is advisable to read the additional documentation on Buildings Jails.

You will need to install some directories, passwd files, libraries and binaries in your chroot path so that scponly has something to invoke when it comes time to execute the remote request.

I have added the script that performs most setup for chroot. You can run it with:

     ''make jail''

Please be aware that chroot installation varies WIDELY from system to system. check in the build_extras directory if make jail has failed you.



That's it, you're done!

Additional Installation Notes

Some operating systems (notably redhat 9), use a shell script for the groups command. Though groups is an allowable command, the "#!/bin/sh" interpreter specification at the beginning of this script will attempt to load /bin/sh, which is not available in the chrooted jail. This is only a problem when you are also using WinSCP compatibiliy, because WinSCP will attempt to run "groups" upon connection initialization.

You have three choices:

  • you can either put /bin/sh in your jail, which is a security problem
  • you can deselect "lookup user groups" in the WinSCP configuration
  • you can "make groups" using the provided groups.c and move the fake groups program into your chroot.
- There are additional notes and scripts in the "build_extras" directory of the diistribution for specific platforms

Installing scponly on Debian 4.0(Etch) with apt

Installing scponly on an Debian 3.1(sarge) is no problem, after apt-get install scponly and choosing scponly or scponlyc option you only have to creat the users with the setup_chroot.sh file. But with Debian 4.0(Etch) you are running into Problems. So here is an solution that might help a bit:

1. Login on the shell aus root

2. Get the scponly package:

   apt-get install scponly

3. Copy the setup_chroot.sh file from /usr/share/doc/scponly/setup_chroot/ to /root for easier access (in some cases the file is in the setup_chroot.sh.gz file)

4. Edit the config.h file in /usr/share/doc/scponly/setup_chroot

   Choose the type of sconly you want to use.
   If you want scponlyc (no shell(ssh) connection for users but sftp is enabled) write scponlyc into the CHROOTED_NAME: 
   #define CHROOTED_NAME "scponlyc"
   Save file and exit.

5. Run ./setup_chroot.sh and creat a user

   Enter username, user_home_dir and user_working_dir (this has to be below the user_home_dir)

6. Write scponlyc to /etc/shells

   which scponlyc >> /etc/shells

7. Set SUID-Bit for scponlyc

   chmod u+s /usr/sbin/scponlyc

8. Creat dev dir

   cd /home/username
   mkdir dev
   cd dev
   mknod -m 666 null c 1 3

Done!

For 64bit systems I found this Link: German Tutorial for use at 64Bit Debian 4.0 systems

Some additional notes about SELinux

  • I ran into some trouble getting scponly working on my RHEL5 system, and it started working again when I ran:
    setenforce Permissive
  • I subsequently turned SELinux back to Enforcing
    setenforce Enforcing
  • I had to relabel a bunch of files, but I sortof did it in batch, so I'm not sure what ended up being the files that fixed it. Anyways, here's a list of some of the basics, you might need to add more for your setup(ALL PATHS ARE RELATIVE TO THE CHROOT, not the actual files--Though, any additional files you have in your chroot should probably have the same permissions as their non-chrooted counterparts):
    • /dev/null: system_u:object_r:null_device_t
    • /etc/passwd: system_u:object_r:etc_t
    • all libraries(/lib, /lib64, etc): system_u:object_r:lib_t
    • The exception, /lib/ld-linux-x86-64.so.2 (or whatever your linux calls ld*.so): system_u:object_r:ld_so_t
    • /usr/libexec/openssh/sftp-server: system_u:object_r:bin_t
Something went wrong with that request. Please try again.