scponly, the Alanis Morissette of FreeBSD ports.

By Dave TuftsThursday, Feb 8, 2007 / 4:03pm View more articles

scponly is ironic

iMarc has abandoned the insecure FTP, in favor of SFTP. On our FreeBSD systems, we implement a port called scponly for users to transfer files over SFTP in a chroot'ed environment, without giving them SSH or terminal access.

Even though the port is called scponly, is also supports SFTP. In fact, I've only tested it using SFTP, not scp. Normally, it's very easy to set up.

However, on a new FreeBSD 6.2 server, we ran into some problems. We had one working scponly server (running FreeBSD 5.x) and a broken scponly installation running on the 6.2 server. The broken installation would allow scponly connections, but immediately drop them before transfer. To test, we turned error reporting up to eleven and manually pushed a file to each server using scp.

scp foo.txt user@example.com:incoming/

On both servers this errored out, closing the connection immediately. Using SFTP worked fine on the working server, but scp didn't work on either server. Odd...

After some investigation, Will found out that scponly does NOT support scp by default.

From scponly's wiki:

The new release of scponly-4.2 has:
no support for scp by default...

Excellent! In fact, reading this inspired me to write a program called calculatoronly that does not support numeric calculations by default.

The Fix

Back to our original problem... if you're running FreeBSD 6.2 and setting up scponly chroot'ed users, the port doesn't create all files that the new FreeBSD scp binary requires. I'm sure they'll fix this soon, but in the mean time you can create these files manually:

// run the scponly chroot script as you normally would su cd /usr/local/share/examples/scponly/ && /bin/sh setup_chroot.sh // ... create the account as you normally would // manually make these files if you're on FreeBSD 6.2 // replace /home/USER with the path to the account you just made mkdir /home/USER/dev touch /home/USER/dev/null chmod 0666 /home/USER/dev/null

But, since scponly only supports sftp, don't use it to scp files. Obviously.

Comments

Thursday, Feb 8, 2007 / 4:29pm Will Bond said…

"and, yeah, I really do think"

Thursday, Feb 8, 2007 / 4:51pm Fred LeBlanc said…

This metaphor is a limo.

Thursday, Feb 8, 2007 / 5:42pm Sunflower Seed said…

Fr3d teh p4rty POOP3r

Comments have been turned off on this blog.
Read something more recent.

Statements and opinions expressed in this blog and any comments made are the private opinions of the respective poster, and, as such, iMarc LLC is neither responsible nor liable for such content.

Meet The Author

Dave Tufts

Vice President, Director of Technology

Search

Recent Blog Posts

Recent Comments

  • Lunchroom Banter (Volume XX)

    Nick commented: Since Bill didn't do it, I will. "Oh snap!"

  • iMarcians with staying power

    Nick commented: Congratulations on the anniversaries. I had a professor tell me early on at the Art Institute that "you can expect to change web jobs every 2-3 years until you settle somewhere". I love proving this guy wrong every day. Congrats again.

  • Twitter, Alone, Is Not Customer Service

    Jay G commented: Same here, and my story is with Alaska Air, too. Their website said the customer service phone number was open something like 8am-8pm PST, but this was after hours, so I tweeted. Lo, and behold, I got a tweet response in 10 minutes with the 24/7 phone number. But this didn't change the confusion from their website…

  • Mobile browsers: Here's the data

    Robert Mohns commented: The data comes from visitors to iMarc.net — an important detail I forgot to include! — not the web as a whole. As for why so little Flash on mobile devices… I'd say this is because even Flash Lite is pretty resource intensive, and it's just not essential to the core content most people need to access. I don't think it has a lot to do…

  • Mobile browsers: Here's the data

    Jason Cronkhite commented: Robert, The data on Flash is interesting. What is your source? I am interested because of my interest in a live streaming company. Further, I'm curious why this is the case for Flash. Is there any merit to HTML5 that Jobs argues? Do you think this has anything to do with mobile network capacity for streaming…

We heart Visitors

  • iMarc
  • 14 Inn Street
  • Newburyport, MA 01950
  • Phone: (978) 462-8848
  • Fax: (978) 462-8807
  • Directions

Contact Us

Whether you have a huge project specification or just want to talk about updating your site, we’re here to help. Fill out the form, and we’ll get right back to you.

Contact Us
  • All Fields Required

Close