Install From Scponly wiki Jump to: navigation, search Installing scponly is not difficult. It is not trivial either so I advise reading the instructions carefully. Keep in mind, you CAN use scponly as a setuid binary, which should warrant caution. Contents * 1 Decide If You Want To Use The chroot() Functionality * 2 Configure Your Installation * 3 Build The Binaries * 4 Install The Binaries * 5 Edit /etc/shells * 6 Create/Edit A User * 7 Additional chroot Specific Steps * 8 Additional Installation Notes Decide If You Want To Use The chroot() Functionality If you dont know what this step means, consult "man chroot". If you still dont understand this question, you should not use chroot() functionality. Go to the next step. Otherwise, consider the following: * If you do use chroot(), your binary will need to be setuid. This should make any security conscious administrator wary. * Also consider that scponly will only execute AFTER sshd has authenticated the remote user. Given this, you should be able to rest a little easier knowing that utilizing scponly will not open you up to impersonal vulnerability subnet scans. * If you are still unsure, read the code. There is a seteuid() function call that ensures that the execution of any commands is never done with an effective uid of 0. * scponly will check the permissions of the directory it is about to chroot into unless --disable-chroot-checkdir is used at confiuration time. This is to prevent chroot-ing into a user writable directory. * Lastly, I make no guarantees that this code is unexploitable. Any system administrator utilizing scponly bears the full responsibility for maintaining a secure system. * Without chroot() functionality, scponly still functions just fine. However, most all files on any root filesystem for any default installation are globally readable. * installing scponly with chroot could incur some pretty hairy troubleshooting. The binaries and libraries must be set up properly in the chroot subdirectories properly. Configure Your Installation There are only a handful of options to configure scponly. Please consult the features and capabilities page for detailed information on all of them. For most installations, you will only need one or two, typically --enable-chrooted-binary. Build The Binaries This is the easy part, type "make". Install The Binaries Type "make install". This will install your manpage and scponly binary/binaries. Edit /etc/shells If you have not already done so, add "scponly" to your /etc/shells file, including the full pathname. If you are using a chrooted scponly install, you should add "scponlyc", also including full pathname. Create/Edit A User Use your system's adduser or pw command to create the user. Consult the documentation for those commands as neccesary. Set the default shell to the full pathname of your scponly binary. If you want chroot functionality, the name of the shell is "scponlyc", otherwise it is "scponly". This could look something like: adduser -d /pub -s /usr/local/bin/scponly scpdemo or for chrooted: adduser -d /pub -s /usr/local/sbin/scponlyc scpdemo Where the home directory is "/pub" and the username is "scpdemo". It is very important that the user's home directory be unwritable by the user, as a writable homedir will make it possible for users to subvert scponly by modifying ssh configuration files. If users complain about being unable to write into their homedir, there is a provision to specify both the chroot directory and a subdirectory of the chroot to chdir into: /home/userchroot//writable/subdir Everything before the // is the directory to chroot into and everything after the // is the subdir to chdir into after chrooting. Naturally, set the password for this user. Additional chroot Specific Steps It is advisable to read the additional documentation on Buildings Jails. You will need to install some directories, passwd files, libraries and binaries in your chroot path so that scponly has something to invoke when it comes time to execute the remote request. I have added the script that performs most setup for chroot. You can run it with: make jail Please be aware that chroot installation varies WIDELY from system to system. check in the build_extras directory if make jail has failed you. That's it, you're done! Additional Installation Notes Some operating systems (notably redhat 9), use a shell script for the groups command. Though groups is an allowable command, the "#!/bin/sh" interpreter specification at the beginning of this script will attempt to load /bin/sh, which is not available in the chrooted jail. This is only a problem when you are also using WinSCP compatibiliy, because WinSCP will attempt to run "groups" upon connection initialization. You have three choices: * you can either put /bin/sh in your jail, which is a security problem * you can deselect "lookup user groups" in the WinSCP configuration * you can "make groups" using the provided groups.c and move the fake groups program into your chroot. - There are additional notes and scripts in the "build_extras" directory of the diistribution for specific platforms