[scponly] scp failing in chrooted environment

Paul Hyder Paul.Hyder at noaa.gov
Thu Apr 14 11:47:47 EDT 2005 

Sort of like programming languages, all you need is FORTRAN ;-)

Supporting users choices does add complexity.  Our cluster has
people with lots of existing large scripts that use scp, sftp,
and rsync and so we get to live with that complexity.  Choice is
a good thing.

BTW: What would make "scp $thefile user at host:incoming" more "risky"
than an equivalent sftp?
     Paul Hyder
     NOAA Forecast Systems Lab
     Boulder, CO

Kaleb Pederson wrote:
> On Wednesday 13 April 2005 6:46 pm, Ralf Durkee wrote:
> 
>>For Unix systems how about just scripting with the -b option, something
>>along the lines of ...
> 
> 
> Yes.... or you could do something like the following:
> 
> MYFILE=blah.${ext}
> sftp user at host <<EOF
> cd /path
> put $MYFILE
> ...
> EOF
> 
> --Kaleb
> 
> 
>>TMPFILE=`mktemp -t progname` || exit 1
>>echo "put test.txt incoming/test.txt" > $TMPFILE
>>sftp -b $TMPFILE scpuser at example.rd1.net:.
>>rm $TMPFILE
>>
>>It's a small inconvenience that seems well worth the reducing additional
>>complexity and risk.
>>
>>-- Ralf Durkee, CISSP, GSEC, GCIH
>>http://rd1.net
>>
>>At 11:35 AM 4/13/2005, Paul Hyder wrote:
>>
>>>It turns out that scp, running under sshv2 since we also don't permit
>>>sshv1, is
>>>sometimes a very useful tool, e.g. in *NIX shell scripts that automate
>>>file transfer.
>>>    Paul Hyder
>>>    NOAA Forecast Systems Lab
>>>    Boulder, CO
>>>
>>>Ralf Durkee wrote:
>>>
>>>>At 01:19 PM 4/11/2005, Paul Jones wrote:
>>>>
>>>>>I have set up scponly and it is almost working perfectly.  I use it with
>>>>>the chroot option.  rsync works, sftp works, but scp does not.
>>>>>scp complains: "unknown user 10001"  10001 is the correct user id.  I am
>>>>>thinking that I have just left something out the the chrooted area that
>>>>>it needs, but I can not figure out what.  usr/bin/id, usr/bin/groups,
>>>>>usr/bin/scp are all there.  Any thoughts about what might be wrong?
>>>>>
>>>>>Paul
>>>>
>>>>I don't understand why anyone would want to go to all the extra work and
>>>>risk to make the scp1 protocol work, when you've got the sftp protocol
>>>>working. All of the scp clients I have tried will use the sftp protocol
>>>>just fine.  I don't see the benefit of having the higher risk protocol,
>>>>when the sftp protocol is much easier to control and verify, and requires
>>>>a simpler and smaller chroot.  I configure my SSH server to only use
>>>>SSHv2 as SSHv1 has some known weaknesses, and then compile scponlyc to
>>>>only use the sftp protocol.
>>>>
>>>>-- Ralf Durkee, CISSP, GSEC, GCIH
>>>>Principal Consultant
>>>>http://rd1.net
>>>>_______________________________________________
>>>>scponly mailing list
>>>>scponly at lists.ccs.neu.edu
>>>>https://lists.ccs.neu.edu/bin/listinfo/scponly
>>
>>_______________________________________________
>>scponly mailing list
>>scponly at lists.ccs.neu.edu
>>https://lists.ccs.neu.edu/bin/listinfo/scponly
> 
> 
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly

More information about the scponly mailing list