openssh unix dev - Dec 2007 - scp -t - revisited.....‏

>From the testing that I've done so far, using the command= restriction
essentially ignores any and all attempts by the client to send different remote
filenames, directory commands, etc...
 
using scp -i some_key localfile 
remotehost:../../../../../../../../../../tmp/file    places a copy of the file
named "localfile"  in the directory specified in the command= line of
the authorized keys file.
It completely overrides the -t and -f parameters passed by the client, which is
really pretty cool in a sense.
 
You could probably even configure the command= to attempt to send a file, which
would only work I assume if the client command was set to pull a file, rather
than send one.
 
It might be fun to play with it to see what you can and can't force via the
command= override from the authorized_keys file.
 
All in all, it gave me what so far appears to be a safe, secure, encrypted,
receive only scp, where the file destination directory is controlled by the
server, not the client.
 
Hella cool imo.
_________________________________________________________________
Your smile counts. The more smiles you share, the more we donate.? Join in.
www.windowslive.com/smile?ocid=TXT_TAGLM_Wave2_oprsmilewlhmtagline

Hi Larry et al,

--- Larry Becke <guyverdh at hotmail.com> wrote:
> It might be fun to play with it to see what you can
> and can't force via the command= override from the
> authorized_keys file.
I ran into an annoying side effect a while back when I
started packaging up these -i and commandcombinations...  If you have a key
agent running, the
key agent will get first dibs despite the specific key
listed in the -i.  So you'll want to prepend your
initiating scp command with SSH_AUTH_SOCK= like so:

$ SSH_AUTH_SOCK= scp -i key file user at host:

I took things a bit further than you seem to have
done, and had my command= execute a shell script,
which would pick apart the passed SCP command
$SSH_ORIGINAL_COMMAND and instead used the passed
"target directory" argument as a parameter to perform
a lookup for specialized handling.

Cheers,
-Thomas


     
____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs