scponly problems

Requests for RPMS, or new coding projects related to server administration, Plesk, security, or anything else you can think of.
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

scponly problems

Unread post by breun »

I installed the scponly package from ART on a CentOS 5 machine, but noticed it didn't add scponly and scponlyc to /etc/shells. I believe the RPM should take care of that?

After manually adding the locations of these files to /etc/shells the scponly shells don't appear in Plesk 9.2.2. Any idea on what needs to happen before they appear there as options?

I have used the RPMForge scponly package in the past and I believe it did add the scponly shells to /etc/shells. I also saw the scponly shells in Plesk as options for domains, but that was on Plesk 8.
Lemonbit Internet Dedicated Server Management
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Re: scponly problems

Unread post by breun »

Just tried this again on CentOS 4 / Plesk 9.2.2, but sure enough it doesn't work there either. The scponly shells don't show up in Plesk, even after manually adding them to /etc/shells.

Is anyone successfully using the scponly package from atomic?
Lemonbit Internet Dedicated Server Management
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Re: scponly problems

Unread post by breun »

Is no one successfully using scponly with Plesk?
Lemonbit Internet Dedicated Server Management
Highland
Forum Regular
Forum Regular
Posts: 674
Joined: Mon Apr 10, 2006 12:55 pm

Re: scponly problems

Unread post by Highland »

Unfortunately I manually installed it years before atomic supported it so I can't speak to the package. I am using it with 2 Plesk servers, tho, without issue. I'm not sure why adding it to /etc/shells would not allow it. Did you restart psa to make sure it wasn't cached? I've not had to do that myself but you never know...
"Its not a mac. I run linux... I'm actually cool." - scott
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Re: scponly problems

Unread post by breun »

*bump* Is no one using the scponly package from the atomic channel with Plesk?
Lemonbit Internet Dedicated Server Management
breun
Long Time Forum Regular
Long Time Forum Regular
Posts: 2813
Joined: Sat Aug 20, 2005 9:30 am
Location: The Netherlands

Re: scponly problems

Unread post by breun »

Really, nobody? :(
Lemonbit Internet Dedicated Server Management
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: scponly problems

Unread post by scott »

Old post I know, but I just did this as a test earlier today:

1) yum install scponly
** this doesnt add it to the plesk dropdown, duely noted.

2) in the domain, set the account to use a chrooted bash shell, and apply

3) change the users account to scponlyc in /etc/passwd

4) in the users home directory create <homedir>/usr/bin

5) ln /usr/bin/scp to <homedir>/usr/bin/
totus
New Forum User
New Forum User
Posts: 4
Joined: Fri May 28, 2010 1:03 pm

Re: scponly problems

Unread post by totus »

Have scponly working fine, the issue I'm having is with scponlyc for jailed env.

Within Plesk I setup a web_user. On the shell as root pwd:

/var/www/vhosts/<domain>.com/web_users/totustesting

Perms: drwxr-x--- 8 root psaserv 4096 May 28 11:55 totustesting

The main account via Plesk is setup with chroot sh which resides /var/www/vhosts/<domain>.com/

I cp -r as root: bin, etc, lib, tmp, usr, var to /var/www/vhosts/<domain>.com/web_users/totustesting

[root@mirage totustesting]# ls -al
total 32
drwxr-x--- 8 root psaserv 4096 May 28 11:55 .
drwxr-xr-x 5 root psaserv 4096 May 28 11:29 ..
drwxr-xr-x 2 root root 4096 May 28 11:54 bin
drwxr-xr-x 2 root root 4096 May 28 11:54 etc
drwxr-xr-x 2 root root 4096 May 28 11:54 lib
drwxr-xr-t 40 root root 4096 May 28 11:54 tmp
drwxr-xr-x 6 root root 4096 May 28 11:55 usr
drwxr-xr-x 3 root root 4096 May 28 11:55 var

totustesting bin dir listings

[root@mirage bin]# ls -al
total 3068
drwxr-xr-x 2 root root 4096 May 28 11:54 .
drwxr-x--- 8 root psaserv 4096 May 28 11:55 ..
-rwxr-xr-x 1 root root 735004 May 28 11:54 bash
-rwxr-xr-x 1 root root 23132 May 28 11:54 cat
-rwxr-xr-x 1 root root 68584 May 28 11:54 cp
-rwxr-xr-x 1 root root 69124 May 28 11:54 du
-rwxr-xr-x 1 root root 16964 May 28 11:54 false
-rwxr-xr-x 1 root root 85060 May 28 11:54 grep
-rwxr-xr-x 1 root root 1931 May 28 11:54 groups
-rwxr-xr-x 1 root root 31692 May 28 11:54 head
-rwxr-xr-x 1 root root 22600 May 28 11:54 id
-rwxr-xr-x 1 root root 129984 May 28 11:54 less
-rwxr-xr-x 1 root root 29872 May 28 11:54 ln
-rwxr-xr-x 1 root root 93816 May 28 11:54 ls
-rwxr-xr-x 1 root root 29852 May 28 11:54 mkdir
-rwxr-xr-x 1 root root 32144 May 28 11:54 more
-rwxr-xr-x 1 root root 77856 May 28 11:54 mv
-rwxr-xr-x 1 root root 23084 May 28 11:54 pwd
-rwxr-xr-x 1 root root 44068 May 28 11:54 rm
-rwxr-xr-x 1 root root 18764 May 28 11:54 rmdir
-rwxr-xr-x 1 root root 53740 May 28 11:54 scp
-rwsr-xr-x 1 root root 24092 May 28 11:54 scponlyc

-rwxr-xr-x 1 root root 735004 May 28 11:54 sh
-rwxr-xr-x 1 root root 42828 May 28 11:54 tail
-rwxr-xr-x 1 root root 42284 May 28 11:54 touch
-rwxr-xr-x 1 root root 16964 May 28 11:54 true
-rwxr-xr-x 1 root root 594740 May 28 11:54 vi

/etc/passwd

totustesting:x:10023:2522::/var/www/vhosts/<domain>.com/web_users/totustesting:/usr/sbin/scponlyc

[root@mirage bin]# sftp totustesting@<domain>.com
Connecting to <domain>.com...
totustesting@<domain>.com's password:
Connection closed

/var/log/secure <-- RHEL platform

May 28 12:32:25 mirage sshd[31756]: Accepted password for totustesting from <IP> port 45304 ssh2
May 28 12:32:25 mirage sshd[31756]: pam_unix(sshd:session): session opened for user totustesting by (uid=0)
May 28 12:32:25 mirage sshd[31758]: subsystem request for sftp
May 28 17:32:25 mirage scponly[31759]: running: /usr/libexec/openssh/sftp-server (username: totustesting(10023), IP/port: <IP> 45304 22)
May 28 17:32:25 mirage scponly[31759]: failed: /usr/libexec/openssh/sftp-server with error Permission denied(13) (username: totustesting(10023), IP/port: <IP> 45304 22)
May 28 12:32:25 mirage sshd[31756]: pam_unix(sshd:session): session closed for user totustesting

Thanks for input!

Cheers,
Troy
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: scponly problems

Unread post by scott »

Right for sftp you'll need to add this to the chroot jail too:

/usr/libexec/openssh/sftp-server
totus
New Forum User
New Forum User
Posts: 4
Joined: Fri May 28, 2010 1:03 pm

Re: scponly problems

Unread post by totus »

I have sftp-server located within the chroot jail /usr dir. Still getting a permission denied on sftp-server exec.

[root@mirage openssh]# pwd
/var/www/vhosts/<domain>.com/web_users/totustesting/usr/libexec/openssh
[root@mirage openssh]# ls -al
total 64
drwxr-xr-x 2 root root 4096 Jun 1 16:47 .
drwxr-xr-x 3 root root 4096 Jun 1 16:46 ..
-rwxr-xr-x 1 root root 50176 Jun 1 16:47 sftp-server

scponly log level 2

Jun 1 17:24:13 mirage sshd[11075]: Accepted password for totustesting from <IP> port 56765 ssh2
Jun 1 17:24:13 mirage sshd[11075]: pam_unix(sshd:session): session opened for user totustesting by (uid=0)
Jun 1 17:24:13 mirage sshd[11077]: subsystem request for sftp
Jun 1 17:24:13 mirage scponly[11078]: chrooted binary in place, will chroot()
Jun 1 17:24:13 mirage scponly[11078]: 3 arguments in total.
Jun 1 17:24:13 mirage scponly[11078]: arg 0 is scponlyc
Jun 1 17:24:13 mirage scponly[11078]: arg 1 is -c
Jun 1 17:24:13 mirage scponly[11078]: arg 2 is /usr/libexec/openssh/sftp-server
Jun 1 17:24:13 mirage scponly[11078]: opened log at LOG_AUTHPRIV, opts 0x00000029
Jun 1 17:24:13 mirage scponly[11078]: determined USER is "totustesting" from environment
Jun 1 17:24:13 mirage scponly[11078]: retrieved home directory of "/var/www/vhosts/<domain>.com/web_users/totustesting" for user "totustesting"
Jun 1 17:24:13 mirage scponly[11078]: chrooting to dir: "/var/www/vhosts/<domain>.com/web_users/totustesting"
Jun 1 17:24:13 mirage scponly[11078]: chdiring to dir: "/"
Jun 1 22:24:13 mirage scponly[11078]: setting uid to 10023
Jun 1 22:24:13 mirage scponly[11078]: processing request: "/usr/libexec/openssh/sftp-server"
Jun 1 22:24:13 mirage scponly[11078]: Using getopt processing for cmd /usr/libexec/openssh/sftp-server (username: totustesting(10023), IP/port: <IP> 56765 22)
Jun 1 22:24:13 mirage scponly[11078]: running: /usr/libexec/openssh/sftp-server (username: totustesting(10023), IP/port: <IP> 56765 22)
Jun 1 22:24:13 mirage scponly[11078]: about to exec "/usr/libexec/openssh/sftp-server" (username: totustesting(10023), IP/port: <IP> 56765 22)
Jun 1 22:24:13 mirage scponly[11078]: failed: /usr/libexec/openssh/sftp-server with error Permission denied(13) (username: totustesting(10023), IP/port: <IP> 56765 22)
Jun 1 17:24:14 mirage sshd[11077]: Received disconnect from <IP>: 11: disconnected by user
Jun 1 17:24:14 mirage sshd[11075]: pam_unix(sshd:session): session closed for user totustesting
totus
New Forum User
New Forum User
Posts: 4
Joined: Fri May 28, 2010 1:03 pm

Re: scponly problems

Unread post by totus »

No Love?
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: scponly problems

Unread post by scott »

Weird I'm not getting that. All I had to do was ln /usr/libexec/openssh/sftp-server to /var/www/vhosts/domain.com//usr/libexec/openssh/sftp-server. Do you have selinux enabled by any chance?
totus
New Forum User
New Forum User
Posts: 4
Joined: Fri May 28, 2010 1:03 pm

Re: scponly problems

Unread post by totus »

No selinux is not enabled. I'll keep digging. Thanks

I've actually placed a copy of sftp-server in

/var/www/vhosts/<domain>.com/web_users/<usr account>/usr/libexec/openssh/sftp-server

Tried ln as well so mysterious connection close
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: scponly problems

Unread post by faris »

I had wonderful fun with the ART scponly RPMs this evening, and I thought I should post here so that it is recorded for posterity:

Note that the following applies to chrooted sftp, which requires that the shell is set to scponlyc rather than scponly

Are you sitting comfortably? Then I'll begin:

For "normal" domain FTP users

1) In Plesk, change the shell to bash - chroot jail

2) Run the following command

Code: Select all

usermod -s /usr/sbin/scponlyc username (where username = ftp username)
( the above is the same as editing /etc/passwd to change the shell to /usr/sbin/scponlyc )

3) All done.

NOTE: For whatever reason, normal FTP access *for this user* seems not to work - they can only connect using sftp once this is done. I've not yet figured out why, or if it was something I did wrong at some point in the past.


Subdomain and web users

What about Plesk *subdomain* FTP users? You cannot assign a shell to subdomain users in Plesk 8.6 (not sure about later versions) and possibly not for "web users" either.

You can still enable scponly for them, but it is a tad harder. Just a tad, mind you!

When you tell Plesk to give shell access to a normal domain user, it basically changes /etc/passwd to give it the appropriate shell, and, in the case of the chroot jailed shell, it copies certain files to /var/www/vhosts/domain.tld/bin, etc, var, lib, usr and dev.

Since you can't use this automated option for *subdomain* users (and possibly web_users), you need to copy the appropriate files manually to the user's chrooted jail root.

For a *subdomain* user, the root would be /var/www/vhosts/domain.tld/subdomains/subdomain-name/

As to the necessary files themselves, the simplest option is to give a normal FTP user bash-chroot shell access temporarily, then copy SOME files from there. Remember to disable the bash chroot access for that user afterwards!

I say SOME files because you don't need ALL the files that Plesk actually copies. All you really need are the following:

bin (but only scp -- none of the rest are needed and copying them may pose a security risk)
lib (all)
usr (all)

Actually, in usr you'll find a share and a lib directory. The lib directory is empty and you don't really need it. I don't actually know if you need the share directory or not. I'd guess not, however.


So, just to make this clear, in the case of a *subdomain* user, you'd end up with the following:

/var/www/vhosts/domain.tld/subdomains/subdomain-name/bin/scp
/var/www/vhosts/domain.tld/subdomains/subdomain-name/lib/(lots of "so" files)
/var/www/vhosts/domain.tld/subdomains/subdomain-name/usr/libexec/openssh/sftp-server
/var/www/vhosts/domain.tld/subdomains/subdomain-name/usr/share/(lots of files - may not be needed)
/var/www/vhosts/domain.tld/subdomains/subdomain-name/usr/lib (empty -- not needed really)

Incidentally, all the above are root:root. use cp -rp when copying them from their original locations.


Common error messages
If you miss out bin/scp and/or the lib directory, you'll get an error such as...

Code: Select all

failed: /usr/libexec/openssh/sftp-server with error No such file or directory(2) 
..even if you actually do have
/var/www/vhosts/domain.tld/subdomain-name/usr/libexec/openssh/sftp-server

If you just can't get this error to go away, try copying the entire bin, lib and usr directories.


Testing:
If all is well, you should be able to connect via sftp using the appropriate ftp username and password, and crucially you should NOT be able to get further up the directory tree than /var/www/vhosts/domain.tld/subdomains/subdomain-name and you should NOT be able to connect to any normal shell when using ssh and the ftp username and password (you will get an scponly "welcome message", however)

Faris.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Post Reply