<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>Blocking SCP</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2 FACE="Arial">I am running into a bit of a problem and I wanted to know if anyone out there has some experience that could be helpful.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Here is the scenario. I have been asked to make changes to OpenSSH that will prevent a user from copying files on a server running SSH via SCP, but will still allow them to copy files from their local machine to the server via SCP. The first part of the problem was relatively simple. I have modified scp.c so that it can prevent remote copies, but still allow local copies. However, there is another piece to this that is still problematic. With the modified SCP, it is possible for a user to SSH into our servers, then SSH back to their own client, and use a local copy of SCP to copy files from our server. I am trying to prevent this from happening.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">What I am looking for is one of a few things</FONT>
<BR><FONT SIZE=2 FACE="Arial"> 1) An existing solution to my problem</FONT>
<BR><FONT SIZE=2 FACE="Arial"> 2) Help in developing a solution to my problem. I find that when I make any modification to the sshd.c listener program (even something as simple as a single printf) and move it into place, SSH Clients trying to connect to the server are first warned that a man-in-the-middle attack may be taking place, and when they try to override the warning, entering the password will no longer allow them to connect. </FONT></P>
<P><FONT SIZE=2 FACE="Arial">If there is no existing solution to the problem at hand, I am looking for a way to make changes to the listener program so that I can prevent a user from using a local copy of SCP to move data.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">BTW, I am aware that you can move files back and forth with CAT piping through SSH, but I still need to block SCP.</FONT>
</P>
<BR>
<P><FONT SIZE=2 FACE="Arial">Thanks in advance for any help you can give me.</FONT>
</P>
<BR>
<P><FONT SIZE=2 FACE="Arial">Steve</FONT>
</P>
</BODY>
</HTML>