[scponly] scp failing in chrooted environment
Kaleb Pederson
kpederson at mail.ewu.edu
Thu Apr 14 10:50:34 EDT 2005
On Wednesday 13 April 2005 6:46 pm, Ralf Durkee wrote:
> For Unix systems how about just scripting with the -b option, something
> along the lines of ...
Yes.... or you could do something like the following:
MYFILE=blah.${ext}
sftp user at host <<EOF
cd /path
put $MYFILE
...
EOF
--Kaleb
> TMPFILE=`mktemp -t progname` || exit 1
> echo "put test.txt incoming/test.txt" > $TMPFILE
> sftp -b $TMPFILE scpuser at example.rd1.net:.
> rm $TMPFILE
>
> It's a small inconvenience that seems well worth the reducing additional
> complexity and risk.
>
> -- Ralf Durkee, CISSP, GSEC, GCIH
> http://rd1.net
>
> At 11:35 AM 4/13/2005, Paul Hyder wrote:
> >It turns out that scp, running under sshv2 since we also don't permit
> >sshv1, is
> >sometimes a very useful tool, e.g. in *NIX shell scripts that automate
> >file transfer.
> > Paul Hyder
> > NOAA Forecast Systems Lab
> > Boulder, CO
> >
> >Ralf Durkee wrote:
> >>At 01:19 PM 4/11/2005, Paul Jones wrote:
> >>>I have set up scponly and it is almost working perfectly. I use it with
> >>>the chroot option. rsync works, sftp works, but scp does not.
> >>>scp complains: "unknown user 10001" 10001 is the correct user id. I am
> >>>thinking that I have just left something out the the chrooted area that
> >>>it needs, but I can not figure out what. usr/bin/id, usr/bin/groups,
> >>>usr/bin/scp are all there. Any thoughts about what might be wrong?
> >>>
> >>>Paul
> >>
> >>I don't understand why anyone would want to go to all the extra work and
> >>risk to make the scp1 protocol work, when you've got the sftp protocol
> >>working. All of the scp clients I have tried will use the sftp protocol
> >>just fine. I don't see the benefit of having the higher risk protocol,
> >>when the sftp protocol is much easier to control and verify, and requires
> >>a simpler and smaller chroot. I configure my SSH server to only use
> >>SSHv2 as SSHv1 has some known weaknesses, and then compile scponlyc to
> >>only use the sftp protocol.
> >>
> >>-- Ralf Durkee, CISSP, GSEC, GCIH
> >>Principal Consultant
> >>http://rd1.net
> >>_______________________________________________
> >>scponly mailing list
> >>scponly at lists.ccs.neu.edu
> >>https://lists.ccs.neu.edu/bin/listinfo/scponly
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
More information about the scponly
mailing list