Re: scp. I don't get it

From: Natman (remove.this.natmanz@shaw.ca)
Date: 11/18/02


From: "Natman" <remove.this.natmanz@shaw.ca>
Date: Mon, 18 Nov 2002 06:09:45 GMT


"Hal Murray" <hmurray@suespammers.org> wrote in message
news:utfqv37bnlksb2@corp.supernews.com...
> >This approach is also..... dangerous. It means that the passwordless key
can
> >be stolen and allow access to the remote machine for other people. I'd
urge
> >you to look into using rsync with SSH to provide better control over
where
> >the files go, and possibly a chroot cage for the SSH server. There are
also
> >ways to use passphrase based keys involving ssh-agent. Hop on over to the
> >SSH newsgroups for more details.
>
> Is there any secure way to set things up so that a cron job on one
> machine can backup files over the net to another machine?
>
> Perhaps I should ask what is the cleanest, lowest-risk way to do it?
>
> I'm only interested in a few machines (at home) so any solution
> doesn't have to scale to zillions of machines.
>

Try this:

use a v2 keypair, and on the receiving end, put

from="sending ip address",command="perl
~/scponly.pl",no-port-forwarding,no-X11-forwarding,no-agent-forwarding [the
key part]

into ~/.ssh/authorized_keys2

And then create ~/scponly.pl with the text at the end of this post. Replace
"mydir" with the dir where files are to be placed. The idea is that ssh2
allows you restrict the use of the key to a specific ip, as well as
disabling features such as port forwarding. Then, the scponly.pl script
(which is based on some scripts I found on the net) restricts that key to
only use scp (no logins), and even then, only if the destination includes
"mydir" somewhere (and this could be further restricted to prevent tricks
like mydir/../, but I didn't do that yet). I use this for the same type of
idea, and it seems to work pretty good. I tried breaking this setup, and I
don't see any obvious way of doing it. Of course, if someone got ahold of
the key, they could add files and overwrite existing files that the user on
the receiving machine has permissions to. If you're worried about that,
that could be fixed by manually chmod'ing / chown'ing the files (to say,
root), or running a cron script to do it for you.

Natman

--- Begin ~/scponly.pl ---
#!/usr/local/bin/perl

sub fail {
    my ($msg) = @_;
    print STDERR "scponly: ", $msg, "\n";
    exit 1;
}

# This just makes me feel better.

$TRUE = (0 == 0);
$FALSE = (0 == 1);

# Since this script is called as a forced command, need to get the
# original scp command given by the client.

($command = $ENV{SSH_ORIGINAL_COMMAND})
    || fail "environment variable SSH_ORIGINAL_COMMAND not set";

# Split the command string to make an argument list, and remove the first
# element (the command name; we'll supply our own);

@scp_argv = split /[ \t]+/, $command;

# Complain if the command is not "scp".

fail "account restricted: only scp allowed"
    unless $scp_argv[0] eq "scp";

# Ensure that either -t or -f is on the command line, to enforce running
# scp in server mode.

$ok = $FALSE;
foreach $arg (@scp_argv) {
    if ($arg eq '-t' || $arg eq '-f') {
        $ok = $TRUE;
        last;
    }
}

fail "Restricted; only server mode allowed."
    unless $ok;

# Check to see that we are only writing to logarch dir

$ok = $FALSE;
foreach $arg (@scp_argv) {
    if ($arg =~ /mydir/) {
        $ok = $TRUE;
        last;
    }
}

fail "Restricted; only allowed to work with [mydir]."
    unless $ok;

shift @scp_argv;
exec 'scp', @scp_argv;
--- End file ---



Relevant Pages

  • RE: SCP help
    ... > I have developed a CGI that will take information from a CGI based ... > SCP a specific file to a remote server. ... > If I do the above command from the command line all works perfectly. ... Is the script setuid? ...
    (perl.beginners)
  • Re: Bash Understanding - Help
    ... I've got this little script and to run the commands I copy the ... commands into my paste buffer by selecting the lines. ... After completing the scp command the shell returms me ...
    (Fedora)
  • Re: Piping and scripts with scp
    ... generate one key pair for every command you want to run and name the key ... if you invoke scp with the corresponding key, scp's remote invocation is ... The script will need to execute via cron and run ...
    (FreeBSD-Security)
  • Re: scp exploit
    ... I just downloaded the latest version of OpenSSH and it (scp) also ... Is there any way to restrict a user from ... Reading through the source, it seems that the ssh program ... The "Sending command:" is defined in ssh.c on line 940. ...
    (comp.security.ssh)
  • Re: ksh scrip to include various sql commands and rownum
    ... This is a little bit safer, since you can restrict who can read your ... script but everyone can see your command line with the ps command: ...
    (comp.unix.shell)