Blocking SCP

Stephan Larrison Stephan.Larrison at developonline.com
Tue Mar 12 10:20:37 EST 2002


I am running into a bit of a problem and I wanted to know if anyone out
there has some experience that could be helpful.

Here is the scenario.   I have been asked to make changes to OpenSSH that
will prevent a user from copying files on a server running SSH via SCP, but
will still allow them to copy files from their local machine to the server
via SCP.   The first part of the problem was relatively simple.  I have
modified scp.c so that it can prevent remote copies, but still allow local
copies.  However, there is another piece to this that is still problematic.
With the modified SCP, it is possible for a user to SSH into our servers,
then SSH back to their own client, and use a local copy of SCP to copy files
from our server.  I am trying to prevent this from happening.

What I am looking for is one of a few things
   1)  An existing solution to my problem
   2)  Help in developing a solution to my problem.  I find that when I make
any modification to the sshd.c listener program (even something as simple as
a single printf) and move it into place, SSH Clients trying to connect to
the server are first warned that a man-in-the-middle attack may be taking
place, and when they try to override the warning, entering the password will
no longer allow them to connect.  

If there is no existing solution to the problem at hand, I am looking for a
way to make changes to the listener program so that I can prevent a user
from using a local copy of SCP to move data.

BTW, I am aware that you can move files back and forth with CAT piping
through SSH, but I still need to block SCP.


Thanks in advance for any help you can give me.


Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020311/68696eef/attachment.html 


More information about the openssh-unix-dev mailing list