scp local/remote external calls

Darren Tucker dtucker at
Sat May 10 15:04:46 EST 2008

petesea at wrote:
> I'm a bit confused how scp works... could someone please explain the 
> local/remote external calls that happen when scp is started... in 
> particular how it relates to ssh on the remote site?
> To be more specific...
> I use Kerberos for authentication and I've been working on an ssh wrapper 
> script that checks my Kerberos credentials before running the ssh command. 
> If the credentials are missing or expired it gives a more appropriate 
> message... something a bit more obvious then the standard "Permission 
> denied" message from ssh.
> So... lets say this ssh wrapper is called "ssh" and it's in my $HOME/bin 
> dir (which is first on my PATH).
> I have (for the sake of this discussion) 2 boxes... box1 and box2.  The 
> ssh wrapper script exists ONLY on box2.
> If I do an scp FROM box1 (which does NOT have this wrapper script) to box2 
> AND my credentials have expired on box2, scp will fail with a message that 
> my credentials have expired (which comes from my wrapper script)... which 
> obviously means somehow my ssh wrapper on box2 was run.  This leads me to 
> the conclusion that running scp on box1 to box2 somehow starts the ssh 
> client on box2.
> Is that correct?  Is so, could someone please outline exactly what happens 
> both local and remote when scp is run.

Basically, there's 3 cases.  From your example above:

1) box1$ scp /foo /bar

This is a local-to-local copy.  scp just invokes cp to do the copy, and 
no ssh connection is involved.

2) box1$ scp /foo box2:/bar

This is a local-to-remote copy.  scp on box 1 invokes "ssh box2 scp -t 
/bar".  You end up with the following processes involved:

scp(box1) -> ssh(box1) -tcp-> sshd(box2) -> scp(box2).

The same applies is true for remote-to-local copies, the only difference 
being the arguments given to the remote scp.

3) box1$ scp box2:/foo box3:/bar

This is a remote-to-remote copy.  scp on box1 runs the equivalent of 
"ssh box2 scp /foo box3:/bar.  You end up with

scp(box1) -> ssh(box1) -tcp-> sshd(box2) -> scp(box2) -> ssh(box2) 
-tcp-> sshd(box3) -> scp(box3).

(The "->" denotes a local pipe or socketpair, depending on your platform.)

So in your example, if you run:

box1$ scp box2:/foo box1:/bar

then ssh is being invoked on box2 because it's case #3 above.  What 
exact command are you using?  If you add "-v" to the scp command line 
then you can see what it runs under the covers.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list