scponly worked but didn't chroot the home folder, the user can still browse the entire server.

So I followed the "Chroot and Debian" tutorial in http://sublimation.org/scponly/wiki/index.php/FAQ

Then when I log into user "upload" via ssh I have no access to the command line (this is what I wanted).

But then when I SFTP into the upload user I can still see all the root files (/), it didn't chroot me to just /home/upload whats going on?

….

I added this to the end of my /etc/ssh/sshd_config file, then done a restart

Subsystem sftp internal-sftp

UsePAM yes

Match User upload
    ChrootDirectory /home/upload
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp

Then when I log into sftp I can only see my upload folder (this is what I want), but now scp doesn't work :P

SCP will accept my password then:

debug1: Next authentication method: password
upload@10.10.10.2's password: 
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_NZ.UTF-8
debug1: Sending command: scp -v -t /test

It will hang on that last debug message.

Any help would be greatly appreciated.

Note, running Debian Lenny

From serverfault Mint

• You are not using scponly here. You have restricted the user upload to using SFTP, so you can't use scp on that account since scp relies on an interactive shell or at least a shell which supports certain commands (like scponly or rssh).

  Use sftp or another SFTP client (e. g. lftp) to access that account or remove the ForceCommand and ChrootDirectory directives from your sshd_config.

  Mint : I don't want to use sftp as I don't need human interaction, I just need it for a script to transfer a file or two to the server now and then. From what I'v read scp is the idea tool for that. Oh and when I take out the chroot made by sshd I get full access to all my directories, Ill try compile scponly as suggested below but I fear it wont help.

  joschi : SFTP is just a protocol. Clients like `lftp` also support non-interactive modes. And even `sftp` (OpenSSH's SFTP client) supports batch mode (see parameter `-b`).

  Mint : Yeah I know, but I still like scp, as it's supposed to be somewhat faster at copying.

  joschi : I really doubt that `scp` is faster than `sftp`. Nevertheless, I've already described in the last paragraph of my answer what you have to do to make `scp` work again.

  Mint : Yeah, scponly works fine via apt-get install on my test server, but didn't on the live one… So I might re-install the live one and see how it goes from there.
  From joschi

• scponly supports chroot natively. There are compile-time options to enable it, particularly --enable-chrooted-binary. scponly will need the SUID bit to enable chroot.

  If already compiled, you will have the binary file scponlyc available on your filesystem.

  There are also limitations as to the usefulness of chroot as a security solution.

  • Some people hate chroot
  • Additional details on scponly
  Mint : So I have to compile scponly with chroot? I can't enable it from an apt-get install? I choose yes when this message came up when installing scponly via apt-get: http://img.skitch.com/20100302-s1xjtmmdsgitcgi76y7yqu4gr.png

  Warner : Sounds/looks like that will cover you, Mint.
  From Warner