[scponly] scp failing in chrooted environment

[Ralf Durkee]

For Unix systems how about just scripting with the -b option, something 
along the lines of ...

TMPFILE=`mktemp -t progname` || exit 1
echo "put test.txt incoming/test.txt" > $TMPFILE
sftp -b $TMPFILE scpuser at example.rd1.net:.
rm $TMPFILE

It's a small inconvenience that seems well worth the reducing additional 
complexity and risk.

-- Ralf Durkee, CISSP, GSEC, GCIH
http://rd1.net

At 11:35 AM 4/13/2005, Paul Hyder wrote:
>It turns out that scp, running under sshv2 since we also don't permit 
>sshv1, is
>sometimes a very useful tool, e.g. in *NIX shell scripts that automate 
>file transfer.
>     Paul Hyder
>     NOAA Forecast Systems Lab
>     Boulder, CO
>
>Ralf Durkee wrote:
>>At 01:19 PM 4/11/2005, Paul Jones wrote:
>>
>>>I have set up scponly and it is almost working perfectly.  I use it with 
>>>the chroot option.  rsync works, sftp works, but scp does not.
>>>scp complains: "unknown user 10001"  10001 is the correct user id.  I am 
>>>thinking that I have just left something out the the chrooted area that 
>>>it needs, but I can not figure out what.  usr/bin/id, usr/bin/groups, 
>>>usr/bin/scp are all there.  Any thoughts about what might be wrong?
>>>
>>>Paul
>>
>>I don't understand why anyone would want to go to all the extra work and 
>>risk to make the scp1 protocol work, when you've got the sftp protocol 
>>working. All of the scp clients I have tried will use the sftp protocol 
>>just fine.  I don't see the benefit of having the higher risk protocol, 
>>when the sftp protocol is much easier to control and verify, and requires 
>>a simpler and smaller chroot.  I configure my SSH server to only use 
>>SSHv2 as SSHv1 has some known weaknesses, and then compile scponlyc to 
>>only use the sftp protocol.
>>
>>-- Ralf Durkee, CISSP, GSEC, GCIH
>>Principal Consultant
>>http://rd1.net
>>_______________________________________________
>>scponly mailing list
>>scponly at lists.ccs.neu.edu
>>https://lists.ccs.neu.edu/bin/listinfo/scponly