Loading ...
Sorry, an error occurred while loading the content.

chrooting with mkscproot and scponly - clearing up

Expand Messages
  • Ben Pollinger
    Hello all, I have been trying the mkscproot script from http://www.nslu2-linux.org/wiki/Optware/Scponly The wiki page is a bit confusing so I d like to clear
    Message 1 of 6 , Nov 27, 2007
    • 0 Attachment
      Hello all,

      I have been trying the mkscproot script from
      http://www.nslu2-linux.org/wiki/Optware/Scponly

      The wiki page is a bit confusing so I'd like to clear some things up
      and rewrite it a bit. First I'll explain what I've done.

      mkscproot -u testuser is not quite enough to get a working account. I
      need to do the following, as stated at the end of the above wiki page:

      cd /home/testuser_root
      chmod 755 ./bin/* ./lib/* ./usr/bin/scp ./usr/libexec/openssh/sftp-server
      chmod 644 ./etc/* ./usr/lib/libcrypto.so.0.9.7 ./usr/lib/libz.so.1.2.3
      chmod 755 ./bin ./etc
      cp -p ./usr/libexec/openssh/sftp-server ./usr/lib


      I also need to create a SSH key as per
      http://www.nslu2-linux.org/wiki/HowTo/UseOpenSSHForRemoteAccess

      I export my private key to Pageant and put my public key in
      /home/testuser_root/testuser/.ssh/authorized keys

      Then chmod -R og= /home/testuser_root/testuser/.ssh

      I can then connect with WinSCP and Pageant to do the SSH authorisation.

      Within WinSCP my root dir is testuser_root so I can see subdirs bin,
      dev, etc and so on

      Is this right? Can I chmod any of this to make it less accesible?

      Also, by default, new users are made in /home - on my slug, this is a
      small flash drive, so I want a new user's chroot space on my bigger
      hard disk - e.g. /share/flash/data/home/testuser_root/

      Can the mkscproot script do this with another switch?

      Thanks,
      Ben
    • Marcel Nijenhof
      ... Which firmware did you use? Which version of scponly? Which ssh server software do you use? Did you see a warning that your firmware wasn t supported? ...
      Message 2 of 6 , Nov 28, 2007
      • 0 Attachment
        On Wed, 2007-11-28 at 01:27 +0000, Ben Pollinger wrote:

        >
        > I have been trying the mkscproot script from
        > http://www.nslu2-linux.org/wiki/Optware/Scponly
        >
        > The wiki page is a bit confusing so I'd like to clear some things up
        > and rewrite it a bit. First I'll explain what I've done.
        >
        > mkscproot -u testuser is not quite enough to get a working account.

        Which firmware did you use?
        Which version of scponly?
        Which ssh server software do you use?
        Did you see a warning that your firmware wasn't supported?

        > I need to do the following, as stated at the end of the above wiki
        > page:
        >
        > cd /home/testuser_root
        > chmod 755 ./bin/* ./lib/* ./usr/bin/scp ./usr/libexec/openssh/sftp-server
        > chmod 644 ./etc/* ./usr/lib/libcrypto.so.0.9.7 ./usr/lib/libz.so.1.2.3
        > chmod 755 ./bin ./etc
        > cp -p ./usr/libexec/openssh/sftp-server ./usr/lib

        Probably this is the combination of:
        openslug
        openssh-sshd, openssh-sftp 4.0p1-r10 (from openslug)

        I have tested 3 configurations (from well tested to less tested):
        unslung + openssh
        openslug + dropbear
        openslug + openssh 4.7p1-1 (from optware for openslug)

        Probably the combination of openslug and the native openembbeded ssh
        daemon doesn't work.

        Can you confirm that you use that combination?

        > I also need to create a SSH key as per
        > http://www.nslu2-linux.org/wiki/HowTo/UseOpenSSHForRemoteAccess

        You don't need to do that!

        You are able to use normal passwords as well.
        You can argue that it is easier and saver with keys but it's
        not a hard requirement.

        > Within WinSCP my root dir is testuser_root so I can see subdirs bin,
        > dev, etc and so on
        >
        > Is this right?

        Yes.

        > Can I chmod any of this to make it less accesible?

        No.

        You need to have access to these directories/files otherwise some
        functions won't work.

        >
        > Also, by default, new users are made in /home - on my slug, this is a
        > small flash drive, so I want a new user's chroot space on my bigger
        > hard disk - e.g. /share/flash/data/home/testuser_root/
        >
        > Can the mkscproot script do this with another switch?

        You are able to use the "-r" option for the "chrooted" location.

        # /tmp/mkscproot -H

        mkscproot [-n] [-r root] [-h <home>] -u <user>

        Example:
        mkscproot -u scponly

        Don't use other options unless you know what you do!!

        --
        marceln
      • zzzz3n
        ... ./usr/libexec/openssh/sftp-server ... Ben and Marcel, i m using unslung 6.10 and openssh. the mkscproot script made a new user as it should, but i m not
        Message 3 of 6 , Mar 9, 2008
        • 0 Attachment
          --- In nslu2-general@yahoogroups.com, Marcel Nijenhof <nslu2@...> wrote:
          >
          > On Wed, 2007-11-28 at 01:27 +0000, Ben Pollinger wrote:
          >
          > >
          > > I have been trying the mkscproot script from
          > > http://www.nslu2-linux.org/wiki/Optware/Scponly
          > >
          > > The wiki page is a bit confusing so I'd like to clear some things up
          > > and rewrite it a bit. First I'll explain what I've done.
          > >
          > > mkscproot -u testuser is not quite enough to get a working account.
          >
          > Which firmware did you use?
          > Which version of scponly?
          > Which ssh server software do you use?
          > Did you see a warning that your firmware wasn't supported?
          >
          > > I need to do the following, as stated at the end of the above wiki
          > > page:
          > >
          > > cd /home/testuser_root
          > > chmod 755 ./bin/* ./lib/* ./usr/bin/scp
          ./usr/libexec/openssh/sftp-server
          > > chmod 644 ./etc/* ./usr/lib/libcrypto.so.0.9.7 ./usr/lib/libz.so.1.2.3
          > > chmod 755 ./bin ./etc
          > > cp -p ./usr/libexec/openssh/sftp-server ./usr/lib
          >
          > Probably this is the combination of:
          > openslug
          > openssh-sshd, openssh-sftp 4.0p1-r10 (from openslug)
          >
          > I have tested 3 configurations (from well tested to less tested):
          > unslung + openssh
          > openslug + dropbear
          > openslug + openssh 4.7p1-1 (from optware for openslug)
          >
          > Probably the combination of openslug and the native openembbeded ssh
          > daemon doesn't work.
          >
          > Can you confirm that you use that combination?
          >
          > > I also need to create a SSH key as per
          > > http://www.nslu2-linux.org/wiki/HowTo/UseOpenSSHForRemoteAccess
          >
          > You don't need to do that!
          >
          > You are able to use normal passwords as well.
          > You can argue that it is easier and saver with keys but it's
          > not a hard requirement.
          >
          > > Within WinSCP my root dir is testuser_root so I can see subdirs bin,
          > > dev, etc and so on
          > >
          > > Is this right?
          >
          > Yes.
          >
          > > Can I chmod any of this to make it less accesible?
          >
          > No.
          >
          > You need to have access to these directories/files otherwise some
          > functions won't work.
          >
          > >
          > > Also, by default, new users are made in /home - on my slug, this is a
          > > small flash drive, so I want a new user's chroot space on my bigger
          > > hard disk - e.g. /share/flash/data/home/testuser_root/
          > >
          > > Can the mkscproot script do this with another switch?
          >
          > You are able to use the "-r" option for the "chrooted" location.
          >
          > # /tmp/mkscproot -H
          >
          > mkscproot [-n] [-r root] [-h <home>] -u <user>
          >
          > Example:
          > mkscproot -u scponly
          >
          > Don't use other options unless you know what you do!!
          >
          > --
          > marceln
          >

          Ben and Marcel,

          i'm using unslung 6.10 and openssh. the mkscproot script made a new
          user as it should, but i'm not able to scp-login with that user even
          after i did the steps that ben had to do, to be able to work with the
          new scp-user. any hints??
        • zzzz3n
          ... ./usr/libexec/openssh/sftp-server ... hi ben, hi marcel! still doesnt work for me after bens workaround configuration: -openssh - 4.7p1-2 -unslung 6.10
          Message 4 of 6 , Mar 9, 2008
          • 0 Attachment
            --- In nslu2-general@yahoogroups.com, Marcel Nijenhof <nslu2@...> wrote:
            >
            > On Wed, 2007-11-28 at 01:27 +0000, Ben Pollinger wrote:
            >
            > >
            > > I have been trying the mkscproot script from
            > > http://www.nslu2-linux.org/wiki/Optware/Scponly
            > >
            > > The wiki page is a bit confusing so I'd like to clear some things up
            > > and rewrite it a bit. First I'll explain what I've done.
            > >
            > > mkscproot -u testuser is not quite enough to get a working account.
            >
            > Which firmware did you use?
            > Which version of scponly?
            > Which ssh server software do you use?
            > Did you see a warning that your firmware wasn't supported?
            >
            > > I need to do the following, as stated at the end of the above wiki
            > > page:
            > >
            > > cd /home/testuser_root
            > > chmod 755 ./bin/* ./lib/* ./usr/bin/scp
            ./usr/libexec/openssh/sftp-server
            > > chmod 644 ./etc/* ./usr/lib/libcrypto.so.0.9.7 ./usr/lib/libz.so.1.2.3
            > > chmod 755 ./bin ./etc
            > > cp -p ./usr/libexec/openssh/sftp-server ./usr/lib
            >
            > Probably this is the combination of:
            > openslug
            > openssh-sshd, openssh-sftp 4.0p1-r10 (from openslug)
            >
            > I have tested 3 configurations (from well tested to less tested):
            > unslung + openssh
            > openslug + dropbear
            > openslug + openssh 4.7p1-1 (from optware for openslug)
            >
            > Probably the combination of openslug and the native openembbeded ssh
            > daemon doesn't work.
            >
            > Can you confirm that you use that combination?
            >
            > > I also need to create a SSH key as per
            > > http://www.nslu2-linux.org/wiki/HowTo/UseOpenSSHForRemoteAccess
            >
            > You don't need to do that!
            >
            > You are able to use normal passwords as well.
            > You can argue that it is easier and saver with keys but it's
            > not a hard requirement.
            >
            > > Within WinSCP my root dir is testuser_root so I can see subdirs bin,
            > > dev, etc and so on
            > >
            > > Is this right?
            >
            > Yes.
            >
            > > Can I chmod any of this to make it less accesible?
            >
            > No.
            >
            > You need to have access to these directories/files otherwise some
            > functions won't work.
            >
            > >
            > > Also, by default, new users are made in /home - on my slug, this is a
            > > small flash drive, so I want a new user's chroot space on my bigger
            > > hard disk - e.g. /share/flash/data/home/testuser_root/
            > >
            > > Can the mkscproot script do this with another switch?
            >
            > You are able to use the "-r" option for the "chrooted" location.
            >
            > # /tmp/mkscproot -H
            >
            > mkscproot [-n] [-r root] [-h <home>] -u <user>
            >
            > Example:
            > mkscproot -u scponly
            >
            > Don't use other options unless you know what you do!!
            >
            > --
            > marceln
            >
            hi ben, hi marcel!

            still doesnt work for me after bens workaround
            configuration:

            -openssh - 4.7p1-2
            -unslung 6.10
            -scponly - 4.6-5
            -created environement simply as discribed with mkscproot -u username

            best, slugzen
          • Marcel Nijenhof
            ... I did some checking and found that scp work but that there are problems with sftp . I will try to fix this. -- marceln
            Message 5 of 6 , Mar 17, 2008
            • 0 Attachment
              On Sun, 2008-03-09 at 10:22 +0000, zzzz3n wrote:

              > still doesnt work for me after bens workaround
              > configuration:
              >
              > -openssh - 4.7p1-2
              > -unslung 6.10
              > -scponly - 4.6-5
              > -created environement simply as discribed with mkscproot -u username

              I did some checking and found that scp work but that there are problems
              with "sftp". I will try to fix this.

              --
              marceln
            • Marcel Nijenhof
              ... This problem should be fix in 4.6-6. -- marceln
              Message 6 of 6 , Mar 19, 2008
              • 0 Attachment
                On Mon, 2008-03-17 at 23:22 +0100, Marcel Nijenhof wrote:

                > > -scponly - 4.6-5

                This problem should be fix in 4.6-6.

                --
                marceln
              Your message has been successfully submitted and would be delivered to recipients shortly.