Project

General

Profile

Bug #7012

scponly shipped with pfSense does not work with Linux scp

Added by Kill Bill 7 months ago. Updated 5 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Operating System
Target version:
Start date:
12/15/2016
Due date:
% Done:

100%

Affected version:
All
Affected Architecture:
All

Description

Dunno guys how you compiled this, but scp does not work. Never worked in fact, as discussed at https://forum.pfsense.org/index.php?topic=73150.0

SFTP works without any problems. Tested with Debian stable and Ubuntu 16 LTS. Looking at pkg info scponly, I can see:

Options        :
        CHROOT         : off
        DEFAULT_CHDIR  : off
        DOCS           : off
        GFTP           : off
        RSYNC          : off
        SCP            : off
        SVN            : off
        SVNSERVE       : off
        UNISON         : off
        WILDCARDS      : on
        WINSCP         : off

I'd personally blame SCP: off for the breakage. And on that note, not disabling WINSCP compatibility would be nice as well.

Associated revisions

Revision ef76f693
Added by Jim Pingle 7 months ago

Set proper options for scponly. Fixes #7012

Revision 40daa7a5
Added by Jim Pingle 7 months ago

Set proper options for scponly. Fixes #7012

Revision 157c9f13
Added by Jim Pingle 7 months ago

Set proper options for scponly. Fixes #7012

History

#1 Updated by Kill Bill 7 months ago

Session output with SCP (broken):

# scp -v -P 22 backup@gw.example.com:/cf/conf/config.xml "/backups/pfsense/config.xml" 
Executing: program /usr/bin/ssh host gw.example.com, user backup, command scp -v -f /cf/conf/config.xml
OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /root/.ssh/config
debug1: /root/.ssh/config line 1: Applying options for gw.example.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to gw.example.com [2001:470:dead:beef::1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/backup_id_ed25519 type 4
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/backup_id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to gw.example.com:22 as 'backup'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-ed25519 SHA256:FcnE5g89BZu3tCaUqaANXNNF7L2d12qbEvXbbH8W31o
debug1: Host 'gw.example.com' is known and matches the ED25519 host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering ED25519 public key: /root/.ssh/backup_id_ed25519
debug1: Server accepts key: pkalg ssh-ed25519 blen 51
debug1: Authentication succeeded (publickey).
Authenticated to gw.example.com ([2001:470:dead:beef::1]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_GB.UTF-8
debug1: Sending command: scp -v -f /cf/conf/config.xml
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
Transferred: sent 2092, received 1796 bytes, in 0.1 seconds
Bytes per second: sent 32182.7, received 27629.1
debug1: Exit status 1

Session output with SFTP (working)

# sftp -v -P 22 backup@gw.example.com:/cf/conf/config.xml "/backups/pfsense/config.xml" 
OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /root/.ssh/config
debug1: /root/.ssh/config line 1: Applying options for gw.example.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to gw.example.com [2001:470:6f:dead:beef::1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/backup_id_ed25519 type 4
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/backup_id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to gw.example.com:22 as 'backup'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-ed25519 SHA256:FcnE5g89BZu3tCaUqaANXNNF7L2d12qbEvXbbH8W31o
debug1: Host 'gw.example.com' is known and matches the ED25519 host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering ED25519 public key: /root/.ssh/backup_id_ed25519
debug1: Server accepts key: pkalg ssh-ed25519 blen 51
debug1: Authentication succeeded (publickey).
Authenticated to gw.example.com ([2001:470:6f:dead:beef::1]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_GB.UTF-8
debug1: Sending subsystem: sftp
Connected to gw.example.com.
Fetching /cf/conf/config.xml to /root/backups/pfsense/config.xml
/cf/conf/config.xml                                                                                                                                                                                        100% 1614KB   1.6MB/s   00:00
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
Transferred: sent 4708, received 1659188 bytes, in 0.3 seconds
Bytes per second: sent 15345.5, received 5408029.5
debug1: Exit status 0

#2 Updated by Jim Pingle 7 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#3 Updated by Jim Pingle 7 months ago

  • Assignee set to Jim Pingle

I pushed a change to fix the options up so it'll come through with the next update. pkg is smart enough to pick up that the options changed and it needs a nudge on the client side. I enabled CHROOT SCP WILDCARDS and WINSCP

I would have enabled RSYNC but that made it pull in rsync as an extra dependency which would have added to the base system size.

#4 Updated by Kill Bill 7 months ago

Yeah, thanks. I'll test in a while. (As for the chroot, that's going to need some pfSense code changes - adding a separate priv, setting the user shell to /usr/local/bin/scponlyc; plus not sure if you still also need the minimal chroot structure under $HOME (there used to be some example setup_chroot.sh script shipped with docs, it's been a while since I touched this thing).

#5 Updated by Jim Pingle 7 months ago

Yeah it would need some extra bits but that can all be done by hand if the user really wants it, it doesn't hurt to have the option enabled for now. The script to setup the chroot is still shipped with the package.

#6 Updated by Kill Bill 7 months ago

Agree. I might do a PR eventually when I get bored.

(All this also could be done with OpenSSH "natively", but it seems way more convoluted [1] -- plus there's the syslogd chrooted socket issue, not sure whether there's code for this already in pfSense, but the whole thing sounds like a royal PITA.)

[1] https://forums.freebsd.org/threads/52408/

#7 Updated by Kill Bill 7 months ago

Jim Pingle wrote:

I pushed a change to fix the options up so it'll come through with the next update. pkg is smart enough to pick up that the options changed and it needs a nudge on the client side. I enabled CHROOT SCP WILDCARDS and WINSCP

Works! 8-)

#8 Updated by Jim Pingle 7 months ago

  • Status changed from Feedback to Resolved

Thanks for testing!

#9 Updated by Kill Bill 7 months ago

Jim Pingle wrote:

Yeah it would need some extra bits but that can all be done by hand if the user really wants it, it doesn't hurt to have the option enabled for now. The script to setup the chroot is still shipped with the package.

Made a PR for the chroot priv: https://github.com/pfsense/pfsense/pull/3283 (sans the chroot setup, however this shouldn't be much of a problem with /usr/local/etc/rc.d/scponlyc if people need it.)

#10 Updated by Jim Pingle 5 months ago

  • Target version changed from 2.4.0 to 2.3.3

Also available in: Atom PDF