Created attachment 1838 [details] strace -f -F -o sftp.log -s128 -p <sshd pid> Sftp doesnt work with scponly with debuglevel (echo 2 > /etc/scponly/debuglevel) if debuglevel is set to 0 than sftp works. I think that problem begin on line 1645: 1645 31404 pipe([11, 12]) = 0 1646 31404 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0xb7c5c728) = 31405 1671 31405 close(11 <unfinished ...> 1690 31404 close(11 <unfinished ...> 1898 31405 writev(2, [{"scponly[31405]: chrooted binary in place, will chroot()", 55}, {"\n", 1}], 2) = -1 EPIPE (Broken pipe) 1899 31405 --- SIGPIPE (Broken pipe) @ 0 (0) --- see full strace log in attachment Behavior of sftp is sometimes random: I have reproduce with scponly in chroot, if I have change shell from scponlyc to scponly, sftp doesnt work too, but after restart of sshd sftp works. sometimes works sftp testik@192.168.0.108 testik@192.168.0.108's password: Connected to 192.168.0.108. sftp> sometimes whithout any changes doesnt work sftp testik@192.168.0.108 testik@192.168.0.108's password: Connection closed I am not sure if this bug in openssh or in scponly or somewhere but closing of pipes are before calling /usr/local/sbin/scponlyc. But reading of debuglevel is after closing pipes. I have reproduce this with openssh5.4p1 and openssh5.3p1 too, with scponly-4.8-r4 on gentoo linux.
This might be related to bug #1750: for subsystems we close stderr.
This seems to be a duplicate of bug #1750. OpenSSH 5.6 will discard stderr output from subsystems rather than close the file descriptor, which is what is causing the SIGPIPE/EPIPE in your strace. *** This bug has been marked as a duplicate of bug 1750 ***
Move resolved bugs to CLOSED after 5.7 release