Filter files received on scp server

Morham Anthelleron opensshdev at
Fri Aug 4 09:33:30 AEST 2017

Quoting Jon Earle <earlej at>:

> Hey folks,
> For reasons, I am trying to restrict what files the scp server will accept.

Are you trying to filter based on filenames or as a completion task upon
successful receipt of the accepted files through ClamAV or similar scanning
tool. (Let's call the first example "Type A" and the second "Type B".)  Or
alternatively, you could just use "file magic" detection of *ANY* system
executable, for a much lighter weight "threat scanning". Let's call that Type
C (or B-Light).

With Type B (and probably C), I'm assuming you'd quarantine the file(s) in
transit until the scanning is complete, with a successful result "releasing"
the file to its proper location, while a "failed" file would be deleted or
quarantined with log entries to describe the situation.  This sounds like a
much "heavier" change to make to sshd than Type A, even if it is the more
effective strategy.

You're patching the code on the server and/or running the server's sshd with
the appropriate debug/logging settings, correct?


More information about the openssh-unix-dev mailing list