Transferring file to local machine when SSHing into a foreign box

Steffen Daode Nurpmeso sdaoden at googlemail.com
Tue May 15 02:06:37 EST 2012


Hallo,

Gert Doering <gert at greenie.muc.de> wrote:

 | Hi,
 |
 | On Mon, May 14, 2012 at 12:23:30PM +0200, Steffen Daode Nurpmeso wrote:
 | >   myself at local-host$ ssh myself at host-over-ssh
 | >   myself at host-over-ssh$ ~Copy_file path_on_local-host path(_on_host-over-ssh)
 | > 
 | > Why should this open a security hole, given that
 | > myself at host-over-ssh has proper permissions for
 | > path_on_host-over-ssh?  
 |
 | If you're just talking about from-local-to-remote, one thing that comes
 | to mind is "an evil remote host stealing your local files without your
 | doing".

I don't think this would be possible, since this should all end up
in process_escapes() (talking about command setup and such).
I.e., it should all be filtered by the local client which drives
the interactive terminal session, before any data is sent over the
connection at all.

 | So while I can understand the convenience factor of this, making it
 | properly secure (like "only operate out of a well-defined quarantaine
 | folder on local-host, and do not permit absolute or relative path names
 | with '..' in them") are likely ging to make this inconvenient enough
 | to then not-use it...

It's not the convenience, it's just sitting on front of the
computer and using the keyboard and having that schizophrenic
situation best described as

  All i want to do is '$ cp LOCAL/.vimrc ~/.vimrc', the
  connection is established and i could use '$ cat > ~/.vimrc' and
  copy+paste and it would do exactly that!

Grrrrmmpf!

  Instead i need to switch console and use an explicit scp or
  whatever, that does *so many things* before that simple operation
  is actually performed.

I'm with the original poster - i know these feelings as of my own
experience.  

However i'm not familiar with the actual protocol/RFCs and thus
the question how this could be implemented on the client/server
interaction side beyond my knowledge for a foreseeable period of
time.  And one of the previous answers doesn't give that much hope
in respect to this.

--steffen
Forza Figa!


More information about the openssh-unix-dev mailing list