Chrooted scponly on Debian

The standard tools to get scponly working on Debian 5 … don’t work. Here’s what to do to get scponly working.

First, if scponly was already installed, remove it using apt-get remove scponly.

Next, clean up any scponly changes:

  • Remove the scponly group in /etc/group
  • Remove the scponly user in /etc/passwd
  • Remove the scponly password in /etc/shadow

Now, get the latest version of scponly (as of this writing 20080308) from sourceforge here:

http://sourceforge.net/projects/scponly/files/

Next, untar and build using the command:

# ./configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --sysconfdir=/etc --enable-scp-compat --enable-winscp-compat --enable-chrooted-binary --enable-passwd-compat PROG_USERADD=/usr/sbin/useradd
# make
# make install

Once installed, run setup_chroot.sh that’s in the source directory and create the initial scponly user. Follow the directions and you should end up with the directory /home/scponly.

Now, copy over all the libraries needed for sftp-server to run:

for i in $(ldd /usr/lib/sftp-server | awk '{print $3}' | grep '^/'); do
j="/home/scponly${i}";
echo "$i -> $j";
cp $i $j;
done;

Create /dev/null:

# mkdir /home/scponly/dev
# cp -a /dev/null /home/scponly/dev/null

And finally, for 64-bit systems, copy over ld:

# mkdir /home/scponly/lib64
# cp /lib64/ld-linux-x86-64.so.2 /home/scponly/lib64

Once that’s done, you should have an scponly user that can connect using sftp or scp in a chrooted jail.

The last thing I do is create /home/scponly/home where I can create multiple users in the same jail. In /etc/passwd the user’s home directory can be entered like this: /home/scponly//home/user and when the user logs in they end up in their own home directory.

Update:

Make sure that there is at least one entry (it can be bogus) in /home/scponly/etc/passwd, or else nothing will work. For example,


null:x:1001:100::/dev/null:/sbin/nologin

Resources:

http://lists.ccs.neu.edu/pipermail/scponly/2009-March/002026.html
http://www.sublimation.org/scponly/wiki/index.php/Install

Advertisements

One thought on “Chrooted scponly on Debian”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s