scponly provides a mechanism to enable secure file-access to a server, with marked improvement over FTP.
scponly can be setup in a) normal mode, whereby the user can see the whole of the file-system of the server, or b) in chroot’ed mode, whereby the user only sees the files the server administrator has granted access to. The latter is what I wanted, but there are a few extra steps required for 64-bit kernel servers.
- Install scponly:
apt-get install scponly - Enable chroot’ed support:
dpkg-reconfigure -plow scponly cd /usr/share/doc/scponly/setup_chroot- Uncompress the setup script:
gunzip setup_chroot.sh.gz - On line 82 of the script, add your ld.so path to the LDSO_LIST variable (/lib/ld-linux-x86-64.so.2 on mine)
- Add section to create /dev/null within the chroot’ed environment after where the targetdir is created (line 181):
if [ ! -d $targetdir/dev ]; then
$INSTALL_PATHNAME -d $targetdir/dev
mknod -m 666 $targetdir/dev/null c 1 3
fi
if [ ! -d $targetdir/lib64 ]; then
ln -s /lib $targetdir/lib64
fi - Run the script to create the user
- Use vipw to append ‘//incoming’ (or whatever you named it) to the users homedir in /etc/passwd.
Whilst testing, it can be helpful to increase debug output in /var/log/auth.log by:
- changing log-level in /etc/ssh/sshd_config from INFO to DEBUG
- changing log-level in /etc/scponly/debuglevel from 0 to 2
Enjoy!