Re: scp. I don't get it

From: Natman (
Date: 11/18/02

From: "Natman" <>
Date: Mon, 18 Nov 2002 06:09:45 GMT

"Hal Murray" <> wrote in message
> >This approach is also..... dangerous. It means that the passwordless key
> >be stolen and allow access to the remote machine for other people. I'd
> >you to look into using rsync with SSH to provide better control over
> >the files go, and possibly a chroot cage for the SSH server. There are
> >ways to use passphrase based keys involving ssh-agent. Hop on over to the
> >SSH newsgroups for more details.
> Is there any secure way to set things up so that a cron job on one
> machine can backup files over the net to another machine?
> Perhaps I should ask what is the cleanest, lowest-risk way to do it?
> I'm only interested in a few machines (at home) so any solution
> doesn't have to scale to zillions of machines.

Try this:

use a v2 keypair, and on the receiving end, put

from="sending ip address",command="perl
~/",no-port-forwarding,no-X11-forwarding,no-agent-forwarding [the
key part]

into ~/.ssh/authorized_keys2

And then create ~/ with the text at the end of this post. Replace
"mydir" with the dir where files are to be placed. The idea is that ssh2
allows you restrict the use of the key to a specific ip, as well as
disabling features such as port forwarding. Then, the script
(which is based on some scripts I found on the net) restricts that key to
only use scp (no logins), and even then, only if the destination includes
"mydir" somewhere (and this could be further restricted to prevent tricks
like mydir/../, but I didn't do that yet). I use this for the same type of
idea, and it seems to work pretty good. I tried breaking this setup, and I
don't see any obvious way of doing it. Of course, if someone got ahold of
the key, they could add files and overwrite existing files that the user on
the receiving machine has permissions to. If you're worried about that,
that could be fixed by manually chmod'ing / chown'ing the files (to say,
root), or running a cron script to do it for you.


--- Begin ~/ ---

sub fail {
    my ($msg) = @_;
    print STDERR "scponly: ", $msg, "\n";
    exit 1;

# This just makes me feel better.

$TRUE = (0 == 0);
$FALSE = (0 == 1);

# Since this script is called as a forced command, need to get the
# original scp command given by the client.

    || fail "environment variable SSH_ORIGINAL_COMMAND not set";

# Split the command string to make an argument list, and remove the first
# element (the command name; we'll supply our own);

@scp_argv = split /[ \t]+/, $command;

# Complain if the command is not "scp".

fail "account restricted: only scp allowed"
    unless $scp_argv[0] eq "scp";

# Ensure that either -t or -f is on the command line, to enforce running
# scp in server mode.

$ok = $FALSE;
foreach $arg (@scp_argv) {
    if ($arg eq '-t' || $arg eq '-f') {
        $ok = $TRUE;

fail "Restricted; only server mode allowed."
    unless $ok;

# Check to see that we are only writing to logarch dir

$ok = $FALSE;
foreach $arg (@scp_argv) {
    if ($arg =~ /mydir/) {
        $ok = $TRUE;

fail "Restricted; only allowed to work with [mydir]."
    unless $ok;

shift @scp_argv;
exec 'scp', @scp_argv;
--- End file ---