Hello,

I am wondering if someone can help me...? I just installed ScpOnly 4.1 and I enabled the chroot jail. When I use WinSCP the user is locked in a jail (like they should). And, I can copy files to the jail just fine. However, when I try to use my Linux box to connect to my Linux machine running ScpOnly; I cannot login.

Below is the command that I am trying to run:
scp -i ./.ssh/id_rsa file_name dns_name:incoming/

I receive the following error message:
unknown user 1002
lost connection.

#User 1002 is my ScpOnly user

After this error message, I am dropped back at the shell. I read some articles...and some suggested that I run a 'ldd /usr/bin/scp' to make sure all of the libs are installed. And, they are. My question to you is why does WinSCP work and not Linux to Linux 'scp'? Is there something that I need to check? Did I do something wrong in my install?

I installed ScpOnly as follows:
tar -zxvf scp*
./configure --enable-chrooted-binary
make
make install
make jail

Thanks in advance for your help!

-X

Haven't used scponly but I suspect your issue is your chroot jail doesn't have an /etc/passwd under it. (e.g. /jail/etc/passwd).

Remember on login the account ONLY has access to what's under the jail and it thinks that the jail directory (/jail in my example) is the root directory. It can not see the REAL /etc/passwd as that is in ../etc/passwd from /jail but there is no ../etc/passwd from / which is where it has been faked into thinking it logged into. Your (jail)/etc/passwd should ONLY have the account for the user rather than being a full copy of /etc/passwd.

jlightner,

I have /etc/passwd located in my jail. I have done a ls -laR on my /home/scponly directory which is my chroot jail. I hope this helps!

xaviar@taz:/home> ls -laR scponly/
scponly/:
total 1
drwxr-xr-x 7 root root 168 2005-12-06 23:21 .
drwxr-xr-x 7 root root 160 2005-12-06 22:22 ..
drwxr-xr-x 2 root root 312 2005-12-06 22:22 bin
drwxr-xr-x 2 root root 136 2005-12-06 22:22 etc
drwxr-xr-x 2 scponly users 48 2005-12-07 15:21 incoming
drwxr-xr-x 3 root root 504 2005-12-06 22:22 lib
drwxr-xr-x 4 root root 96 2005-12-06 22:22 usr

scponly/bin:
total 416
drwxr-xr-x 2 root root 312 2005-12-06 22:22 .
drwxr-xr-x 7 root root 168 2005-12-06 23:21 ..
-rwxr-xr-x 1 root root 37020 2005-12-06 22:22 chgrp
-rwxr-xr-x 1 root root 36044 2005-12-06 22:22 chmod
-rwxr-xr-x 1 root root 40284 2005-12-06 22:22 chown
-rwxr-xr-x 1 root root 16532 2005-12-06 22:22 echo
-rwxr-xr-x 1 root root 26616 2005-12-06 22:22 ln
-rwxr-xr-x 1 root root 82640 2005-12-06 22:22 ls
-rwxr-xr-x 1 root root 26840 2005-12-06 22:22 mkdir
-rwxr-xr-x 1 root root 67876 2005-12-06 22:22 mv
-rwxr-xr-x 1 root root 17432 2005-12-06 22:22 pwd
-rwxr-xr-x 1 root root 36236 2005-12-06 22:22 rm
-rwxr-xr-x 1 root root 15864 2005-12-06 22:22 rmdir

scponly/etc:
total 28
drwxr-xr-x 2 root root 136 2005-12-06 22:22 .
drwxr-xr-x 7 root root 168 2005-12-06 23:21 ..
-rwxr-xr-x 1 root root 17320 2005-12-06 22:22 ld.so.cache
-rwxr-xr-x 1 root root 327 2005-12-06 22:22 ld.so.conf
-rw------- 1 root root 59 2005-12-06 22:22 passwd

scponly/incoming:
total 0
drwxr-xr-x 2 scponly users 48 2005-12-07 15:21 .
drwxr-xr-x 7 root root 168 2005-12-06 23:21 ..

scponly/lib:
total 713
drwxr-xr-x 3 root root 504 2005-12-06 22:22 .
drwxr-xr-x 7 root root 168 2005-12-06 23:21 ..
-rwxr-xr-x 1 root root 101927 2005-12-06 22:22 ld-linux.so.2
-rwxr-xr-x 1 root root 128477 2005-12-06 22:22 libacl.so.1
-rwxr-xr-x 1 root root 14412 2005-12-06 22:22 libattr.so.1
-rwxr-xr-x 1 root root 6536 2005-12-06 22:22 libcom_err.so.2
-rwxr-xr-x 1 root root 47724 2005-12-06 22:22 libcrypt.so.1
-rwxr-xr-x 1 root root 13830 2005-12-06 22:22 libdl.so.2
-rwxr-xr-x 1 root root 94166 2005-12-06 22:22 libnsl.so.1
-rwxr-xr-x 1 root root 36290 2005-12-06 22:22 libnss_compat-2.3.5.so
-rwxr-xr-x 1 root root 36290 2005-12-06 22:22 libnss_compat.so.2
-rwxr-xr-x 1 root root 74650 2005-12-06 22:22 libresolv.so.2
-rwxr-xr-x 1 root root 65792 2005-12-06 22:22 libselinux.so.1
-rwxr-xr-x 1 root root 13029 2005-12-06 22:22 libutil.so.1
-rwxr-xr-x 1 root root 73712 2005-12-06 22:22 libz.so.1
drwxr-xr-x 2 root root 144 2005-12-10 07:05 tls

scponly/lib/tls:
total 1518
drwxr-xr-x 2 root root 144 2005-12-10 07:05 .
drwxr-xr-x 3 root root 504 2005-12-06 22:22 ..
-rwxr-xr-x 1 root root 1417095 2005-12-06 22:22 libc.so.6
-rwxr-xr-x 1 root root 93266 2005-12-06 22:22 libpthread.so.0
-rwxr-xr-x 1 root root 40833 2005-12-06 22:22 librt.so.1

scponly/usr:
total 0
drwxr-xr-x 4 root root 96 2005-12-06 22:22 .
drwxr-xr-x 7 root root 168 2005-12-06 23:21 ..
drwxr-xr-x 2 root root 120 2005-12-06 22:22 bin
drwxr-xr-x 3 root root 384 2005-12-06 22:22 lib

scponly/usr/bin:
total 64
drwxr-xr-x 2 root root 120 2005-12-06 22:22 .
drwxr-xr-x 4 root root 96 2005-12-06 22:22 ..
-rwxr-xr-x 1 root root 1928 2005-12-06 22:22 groups
-rwxr-xr-x 1 root root 19332 2005-12-06 22:22 id
-rwxr-xr-x 1 root root 40724 2005-12-06 22:22 scp

scponly/usr/lib:
total 2133
drwxr-xr-x 3 root root 384 2005-12-06 22:22 .
drwxr-xr-x 4 root root 96 2005-12-06 22:22 ..
-rwxr-xr-x 1 root root 1027732 2005-12-06 22:22 libcrypto.so.0.9.7
-rwxr-xr-x 1 root root 93556 2005-12-06 22:22 libgssapi_krb5.so.2
-rwxr-xr-x 1 root root 147412 2005-12-06 22:22 libk5crypto.so.3
-rwxr-xr-x 1 root root 452564 2005-12-06 22:22 libkrb5.so.3
-rwxr-xr-x 1 root root 9364 2005-12-06 22:22 libkrb5support.so.0
-rwxr-xr-x 1 root root 27172 2005-12-06 22:22 libopenct.so.1
-rwxr-xr-x 1 root root 357668 2005-12-06 22:22 libopensc.so.1
-rwxr-xr-x 1 root root 35180 2005-12-06 22:22 libpcsclite.so.1
-rwxr-xr-x 1 root root 18700 2005-12-06 22:22 libscconf.so.1
drwxr-xr-x 2 root root 80 2005-12-06 22:22 ssh

scponly/usr/lib/ssh:
total 36
drwxr-xr-x 2 root root 80 2005-12-06 22:22 .
drwxr-xr-x 3 root root 384 2005-12-06 22:22 ..
-rwxr-xr-x 1 root root 33232 2005-12-06 22:22 sftp-server

I've never used scponly, so this is just a guess, but maybe it's having issues with your identity file (specified with the -i). Try scp'ing without the -i option and see if it works. Also, add -vv to the command to get some more verbose output about what is happening.

btmiller,

I turned off publickey auth, and then I tried using password auth. Below is the error message that I received:

# -- Start here --

USERNAME@spicy:~/Desktop> scp -vvv k3b.desktop scponly@domain_name.org:incoming/
Executing: program /usr/bin/ssh host domain_name.org, user scponly, command scp -v -t incoming/
OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /home/USERNAME/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to domain_name.org [192.168.1.254] port 22.
debug1: Connection established.
debug1: identity file /home/USERNAME/.ssh/identity type -1
debug1: identity file /home/USERNAME/.ssh/id_rsa type -1
debug1: identity file /home/USERNAME/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.1
debug1: match: OpenSSH_4.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes256-cbc
debug2: kex_parse_kexinit: aes256-cbc
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes256-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes256-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<4096<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 250/512
debug2: bits set: 2017/4096
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/USERNAME/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 7
debug3: check_host_in_hostfile: filename /home/USERNAME/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'domain_name.org' is known and matches the RSA host key.
debug1: Found key in /home/USERNAME/.ssh/known_hosts:7
debug2: bits set: 2032/4096
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/USERNAME/.ssh/identity ((nil))
debug2: key: /home/USERNAME/.ssh/id_rsa ((nil))
debug2: key: /home/USERNAME/.ssh/id_dsa ((nil))
debug3: input_userauth_banner


debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/USERNAME/.ssh/identity
debug3: no such identity: /home/USERNAME/.ssh/identity
debug1: Trying private key: /home/USERNAME/.ssh/id_rsa
debug3: no such identity: /home/USERNAME/.ssh/id_rsa
debug1: Trying private key: /home/USERNAME/.ssh/id_dsa
debug3: no such identity: /home/USERNAME/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
scponly@domain_name.org's password:
debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug2: fd 4 setting O_NONBLOCK
debug2: fd 5 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: ssh_session2_setup: id 0
debug1: Sending command: scp -v -t incoming/
debug2: channel 0: request exec
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 131072
debug2: channel 0: rcvd ext data 19
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: rcvd close
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug3: channel 0: will not send data after close
debug2: channel 0: obuf_empty delayed efd 6/(19)
unknown user 1002
debug2: channel 0: written 19 to efd 6
debug3: channel 0: will not send data after close
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t4 r0 i3/0 o3/0 fd -1/-1)

debug3: channel 0: close_fds r -1 w -1 e 6
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.1 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 255
lost connection

# -- Stop here --

Do you know what else I can try?

Thanks in advance,

-X

Moderator,

Can you please move this thread to the Security forum? Maybe some in that forum can help me out.

Thanks!

-X

anyone...?