scp local/remote external calls
Darren Tucker
dtucker at zip.com.au
Sat May 10 15:04:46 EST 2008
petesea at bigfoot.com wrote:
> I'm a bit confused how scp works... could someone please explain the
> local/remote external calls that happen when scp is started... in
> particular how it relates to ssh on the remote site?
>
> To be more specific...
>
> I use Kerberos for authentication and I've been working on an ssh wrapper
> script that checks my Kerberos credentials before running the ssh command.
> If the credentials are missing or expired it gives a more appropriate
> message... something a bit more obvious then the standard "Permission
> denied" message from ssh.
>
> So... lets say this ssh wrapper is called "ssh" and it's in my $HOME/bin
> dir (which is first on my PATH).
>
> I have (for the sake of this discussion) 2 boxes... box1 and box2. The
> ssh wrapper script exists ONLY on box2.
>
> If I do an scp FROM box1 (which does NOT have this wrapper script) to box2
> AND my credentials have expired on box2, scp will fail with a message that
> my credentials have expired (which comes from my wrapper script)... which
> obviously means somehow my ssh wrapper on box2 was run. This leads me to
> the conclusion that running scp on box1 to box2 somehow starts the ssh
> client on box2.
>
> Is that correct? Is so, could someone please outline exactly what happens
> both local and remote when scp is run.
Basically, there's 3 cases. From your example above:
1) box1$ scp /foo /bar
This is a local-to-local copy. scp just invokes cp to do the copy, and
no ssh connection is involved.
2) box1$ scp /foo box2:/bar
This is a local-to-remote copy. scp on box 1 invokes "ssh box2 scp -t
/bar". You end up with the following processes involved:
scp(box1) -> ssh(box1) -tcp-> sshd(box2) -> scp(box2).
The same applies is true for remote-to-local copies, the only difference
being the arguments given to the remote scp.
3) box1$ scp box2:/foo box3:/bar
This is a remote-to-remote copy. scp on box1 runs the equivalent of
"ssh box2 scp /foo box3:/bar. You end up with
scp(box1) -> ssh(box1) -tcp-> sshd(box2) -> scp(box2) -> ssh(box2)
-tcp-> sshd(box3) -> scp(box3).
(The "->" denotes a local pipe or socketpair, depending on your platform.)
So in your example, if you run:
box1$ scp box2:/foo box1:/bar
then ssh is being invoked on box2 because it's case #3 above. What
exact command are you using? If you add "-v" to the scp command line
then you can see what it runs under the covers.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list