scponly Installation Instructions:
http://sublimation.org/scponly
joe@sublimation.org
Installing scponly is not difficult. It is not trivial either so I
advise reading the instructions carefully. Keep in mind, you CAN
use scponly as a setuid binary, which should warrant caution.
Step 1. Decide if you want to use chroot() functionality.
If you dont know what this step means, consult "man chroot".
If you still dont understand this question, you should not
use chroot() functionality. Go to step 2.
Otherwise, consider the following:
- If you do use chroot(), your binary will need to be setuid. This
should make any security conscious administrator wary.
- Also consider that scponly will only execute AFTER sshd has
authenticated the remote user. Given this, you should be
able to rest a little easier knowing that utilizing scponly
will not open you up to impersonal vulnerability subnet scans.
- If you are still unsure, read the code. There is a seteuid
that ensures that the execution of any commands is
never done with an effective uid of 0.
- scponly will check the permissions of the directory it is
about to chroot into unless --disable-chroot-checkdir is used
at confiuration time. This is to prevent chroot-ing into a
user writable directory.
- Lastly, I make no guarantees that this code is unexploitable.
Any system administrator utilizing scponly bears the full
responsibility for maintaining a secure system. (see 18/08/02
CHANGELOG!)
- Without chroot() functionality, scponly still functions just
fine. However, most all files on any root filesystem for any
default installation are globally readable.
- installing scponly with chroot could incur some pretty hairy
troubleshooting. The binaries and libraries must be set
up properly in the chroot subdirectories properly.
Step 2. Configure your installation.
There are only a handful of options to configure scponly.
Some to note:
--enable-chrooted-binary
This option configures additional compile and install parameters
that will set your scponly installation to handle chrooted scponly
users. By default, chrooted scponly binaries are not built.
--disable-wildcards
The wildcard processing is new and although I know of no
vulnerabilities, the especially paranoid may wish to disable
this feature. Also note, it only relates to "scp" transfers,
and not "sftp", which handles its own wildcards. By default,
wildcards are enabled.
--disable-scp-compat
--disable-sftp
--disable-winscp-compat
"scp" or "sftp" can be excluded altogether at compile time
if you know you will not be using one or the other at all.
If you do not wish to support WinSCP 2.0 compatibility, you
can specify the disable option, which will exclude that
functionality. This is for especially paranoid folks that
do not like the interactive nature of a WinSCP session.
By default, WinSCP 2.0 compatibility is compiled in.
--disable-restrictive-names
Turning off filename checks will disable checking of the
scp arguments. Historically, these arguments were checked for
shell metacharacters, but these checks are no longer
required. (However, I leave to option to disable turned off
by default until a later release.)
Other options can be seen using "./configure --help"
Step 3. Build the binaries.
This is the easy part, type "make".
Step 4. Install the components.
Type "make install".
This will install your manpage and scponly binary.
Step 5. Edit /etc/shells
If you have not already done so, add "scponly" to your /etc/shells
file, including the full pathname. If you are using a chrooted
scponly install, you should add "scponlyc", also including full
pathname.
Step 6. Create/Edit a user intended for scponly use.
Use your system's "adduser" command to create the user.
Set the default shell to the full pathname of your scponly
binary. If you want chroot functionality, the name of the
shell is "scponlyc", otherwise it is "scponly".
This could look like:
adduser -d /pub -s /usr/bin/scponly scpdemo
or for chrooted:
adduser -d /pub -s /usr/sbin/scponlyc scpdemo
Where the home directory is "/pub" and the username is "scpdemo".
It is very important that the user's home directory be unwritable
by the user, as a writable homedir will make it possible for users
to subvert scponly by modifying ssh configuration files.
If users complain about being unable to write into their homedir,
there is a provision to specify both the chroot directory and a
subdirectory of the chroot to chdir into:
/home/userchroot//writable/subdir
Everything before the // is the directory to chroot into and everything
after the // is the subdir to chdir into after chrooting.
Naturally, set the password for this user.
ADDITIONAL STEPS FOR CHROOT-ENABLED INSTALLATIONS ONLY:
Step 7. You will need to install some directories, passwd files,
libraries and binaries in your chroot path so that scponly has
something to invoke when it comes time to execute the remote
request.
I have added the script that performs most setup for chroot:
You can run it with:
make jail
Please be aware that chroot installation varies WIDELY from
system to system. check in the build_extras directory if
make jail has failed you.
Also see the BUILDING_JAILS.TXT document in this source package
for additional help. Good luck!
That's it, you're done!
Additional Installation notes:
- Some operating systems (notably redhat 9), use a shell script for
the "groups" command. Though "groups" is an allowable command, the
"#!/bin/sh" interpreter specification at the beginning of this script
will attempt to load /bin/sh, which is not available in the chrooted
jail. This is only a problem when you are also using WinSCP compatibiliy,
because WinSCP will attempt to run "groups" upon connection initialization.
You have three choices:
- you can either put /bin/sh in your jail, which is a security problem
- you can deselect "lookup user groups" in the WinSCP configuration
- you can "make groups" using the provided groups.c and move the fake
groups program into your chroot.
- There are additional notes and scripts in the "build_extras" directory
for specific platforms
