Easy SFTP and chroot SFTP with Scponly

Howto: Easy SFTP and chroot SFTP with Scponly

Hi everyone,

I was getting some problems to get scponly installed. I’ve searched through the forum, but didn’t found any solution. Now I got it working, so I’m posting how I got Scponly installed and working.

Scponly for transferring files securely with ssh, but the user doesn’t have a shell, so he only can transfer files. He cannot execute anything in the server.

There are 2 shells, one normal (scponly), that allows users to transfer files and see all the system files, but can’t execute anything. The other one is scponlyc, the chroot version (the user is locked inside his home folder). Now here we go.

Install the scponly package in the server machine:

Code:

sudo apt-get install scponly

Normal SFTP

Change the shell of the user:

Code:

sudo chsh -s /usr/bin/scponly username

Test it from the remote machine:

Code:

sftp username@server

Painless

Chroot SFTP:

Reconfigure the scponly package so that scponlyc (the chroot version) is activated:

Code:

sudo dpkg-reconfigure -plow scponly

Answer “Yes”. Now setup the chroot scponly user using the setup_chroot script included to do it. It can’t be an existing user, and don’t create him with adduser. He will be created by the setup_chroot script:

Code:

cd /usr/share/doc/scponly/setup_chroot
sudo gunzip setup_chroot.sh.gz
sudo chmod +x setup_chroot.sh
sudo ./setup_chroot.sh

To make this simpler, lets accept the default answers (scponly for username and home folder). At the end, create the password of scponly user.

Scponlyc has a “bug” and don’t work out of the box (https://lists.ccs.neu.edu/pipermail/…er/001692.html). The message is about FreeBSD, but it happens in Linux/Ubuntu too, at least with me. You have to create /dev/null in scponly chroot home folder. Thanks to revertex, the right way to do this is:

Code:

sudo -i
cd /home/scponly

mkdir /home/scponly/dev
mknod -m 666 /home/scponly/dev/null c 1 3

exit

Now test it from the remote computer:

Code:

sftp scponly@server

If you login, it worked. You only can upload files to the “incoming” folder. You can’t leave scponly chroot home, and you cannot execute anything from the server system.

This was suggested by revertex:

To provide access to files that are outside the scponly homedir root jail, bind mount option should be handy.

As example, supose you have a dir /mnt/stuff and want to provide access to a chrooted scponly user.

Code:

Code:

mkdir /home/scponly/stuff

mount -o bind /mnt/stuff /home/scponly/stuff

and to make this permanent, edit your /etc/fstab and add something like

Code:

Code:

 /mnt/stuff   /home/scponly/stuff   none   rw,bind   0 0

change rw,bind to ro,bind to read only access.

Tested in Ubuntu Feisty 7.04. I think it works on other versions with no or few changes.

I Hope this works for you to.

__________________
Anything that can happen, will happen if…

http://ubuntu.no.sapo.pt

mkdir /home/scponly/dev
mknod -m 666 /home/scponly/dev/null c 1 3

#3 June 6th, 2007

epimeteo A Carafe of Ubuntu Join Date: Nov 2005 Location: Portugal Beans: 177 Ubuntu 7.04 Feisty Fawn User

Re: Howto: Easy SFTP and chroot SFTP with Scponly Your welcome, revertex. And thank you for your suggestion for creating de /dev/null device as it should. Edited and corrected __________________ Anything that can happen, will happen if… http://ubuntu.no.sapo.pt