scponly, the Alanis Morissette of FreeBSD ports.

By Dave TuftsThursday, Feb 8, 2007 / 4:03pm View more articles

scponly is ironic

iMarc has abandoned the insecure FTP, in favor of SFTP. On our FreeBSD systems, we implement a port called scponly for users to transfer files over SFTP in a chroot'ed environment, without giving them SSH or terminal access.

Even though the port is called scponly, is also supports SFTP. In fact, I've only tested it using SFTP, not scp. Normally, it's very easy to set up.

However, on a new FreeBSD 6.2 server, we ran into some problems. We had one working scponly server (running FreeBSD 5.x) and a broken scponly installation running on the 6.2 server. The broken installation would allow scponly connections, but immediately drop them before transfer. To test, we turned error reporting up to eleven and manually pushed a file to each server using scp.

scp foo.txt user@example.com:incoming/

On both servers this errored out, closing the connection immediately. Using SFTP worked fine on the working server, but scp didn't work on either server. Odd...

After some investigation, Will found out that scponly does NOT support scp by default.

From scponly's wiki:

The new release of scponly-4.2 has:
no support for scp by default...

Excellent! In fact, reading this inspired me to write a program called calculatoronly that does not support numeric calculations by default.

The Fix

Back to our original problem... if you're running FreeBSD 6.2 and setting up scponly chroot'ed users, the port doesn't create all files that the new FreeBSD scp binary requires. I'm sure they'll fix this soon, but in the mean time you can create these files manually:

// run the scponly chroot script as you normally would su cd /usr/local/share/examples/scponly/ && /bin/sh setup_chroot.sh // ... create the account as you normally would // manually make these files if you're on FreeBSD 6.2 // replace /home/USER with the path to the account you just made mkdir /home/USER/dev touch /home/USER/dev/null chmod 0666 /home/USER/dev/null

But, since scponly only supports sftp, don't use it to scp files. Obviously.

Comments

Thursday, Feb 8, 2007 / 4:29pm Will Bond said…

"and, yeah, I really do think"

Thursday, Feb 8, 2007 / 4:51pm Fred LeBlanc said…

This metaphor is a limo.

Thursday, Feb 8, 2007 / 5:42pm Sunflower Seed said…

Fr3d teh p4rty POOP3r

Comments have been turned off on this blog.
Read something more recent.

Statements and opinions expressed in this blog and any comments made are the private opinions of the respective poster, and, as such, iMarc LLC is neither responsible nor liable for such content.

Meet The Author

Dave Tufts

Vice President, Director of Technology

Search

Recent Blog Posts

Recent Comments

  • 10 years and a Les Paul

    Jaime commented: Is that Dave Despres in the flesh?

  • The Scientific Method

    TJ Kelly commented: "After 2 seconds on the Chamber page, she realized that she wasn't interested and wanted to get back to iMarc." Therein lies my favorite argument for opening links in the same window.

  • The Scientific Method

    Angelo Simeoni commented: Our issue tracker has a user option to open issue links in a new window. I can't remember if that's enabled by default, but that's one good use case. Imagine if it were default browser behavior to open all links in a new window. I'm going to mention that the next time someone suggests that interaction. Ironically…

  • The Scientific Method

    Marc Amos commented: When somebody who's signing my checks asks me to make their links automatically open in a new window, the scenario you describe above is pretty much the same scenario I describe to them as 'my professional opinion.' I ask them to consider what happens when the user aims for the Back button and it doesn't…

  • The Scientific Method

    Errol Sayre commented: Your key point says it all: "anyone who wanted that behavior was sophisticated enough to create the behavior on demand" My favorite are sites that go to such great lengths to produce open in a new-window-links that they make it impossible for you to right-click and choose "open in new tab". (Generally due to a…

We heart Visitors

  • iMarc
  • 14 Inn Street
  • Newburyport, MA 01950
  • Phone: (978) 462-8848
  • Fax: (978) 462-8807
  • Directions

Contact Us

Whether you have a huge project specification or just want to talk about updating your site, we’re here to help. Fill out the form, and we’ll get right back to you.

Contact Us
  • All Fields Required

Close