Hello,
in order to use "scp", the scp binary has to be in the compile-time
default path on the remote host. For some users (like root), we try to
avoid this since scp may be on a network file system (AFS/NFS), and we
don't want to hang root's session on network outages.
Would a patch to scp be acceptable in the main tree that allows to set
the path to remote scp explicity, either as a new command line or as
an ENV variable (it looks like a ssh config file parameter won't work,
since the file is not read by scp itself).
I know that a workaround is to put "PATH=/path/to/bla" into these
user's
.ssh/environment or as a parameter to their key, but I don't want this
PATH to be taken for interactive use.
Please advise.
Best regards
Jan Iven
PS: a small patch so that /full/path/to/scp will find the
corresponding local /full/path/to/ssh is appended below.
--- openssh/scp.c~ Sat Oct 28 05:19:58 2000
+++ openssh/scp.c Tue Nov 7 17:59:37 2000
@@ -245,7 +245,7 @@
char *argv[];
{
int ch, fflag, tflag;
- char *targ;
+ char *targ, *pathsep;
extern char *optarg;
extern int optind;
@@ -253,6 +253,19 @@
addargs("ssh"); /* overwritten with ssh_program */
addargs("-x");
addargs("-oFallBackToRsh no");
+
+ /* check explicit path for ssh binary, default is SSH_PROGRAM */
+ if ((argc > 0) &&
+ (argv[0] != NULL)) {
+ pathsep = strrchr(argv[0], '/');
+ if (pathsep != NULL) {
+ pathsep++;
+ *pathsep = 0;
+ ssh_program = xmalloc(strlen(argv[0]) + 4); /* "../path" +
"ssh\0" */
+ strcpy(ssh_program, argv[0]);
+ strcat(ssh_program, "ssh");
+ }
+ }
fflag = tflag = 0;
while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:o:")) != EOF)
On 18 Dec 2000, Jan IVEN wrote:> Hello, > > in order to use "scp", the scp binary has to be in the compile-time > default path on the remote host. For some users (like root), we try to > avoid this since scp may be on a network file system (AFS/NFS), and we > don't want to hang root's session on network outages. > > Would a patch to scp be acceptable in the main tree that allows to set > the path to remote scp explicity, either as a new command line or as > an ENV variable (it looks like a ssh config file parameter won't work, > since the file is not read by scp itself). > > I know that a workaround is to put "PATH=/path/to/bla" into these user's > .ssh/environment or as a parameter to their key, but I don't want this > PATH to be taken for interactive use. > > Please advise. > > Best regards > Jan Iven > > PS: a small patch so that /full/path/to/scp will find the > corresponding local /full/path/to/ssh is appended below.If I'm not mistaken, with this you can force the remote server to execute a trojaned ssh, if you run e.g. '/tmp/scp user at remote:xxx .' and have managed to create /tmp/ssh on the remote system. Doesn't look good as this this breaks sshd expectations with regard to PATH and what users can control. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
you cannot assume that the path for the remote scp is the same as for the local scp. it's better to add an option to scp, e.g.: $ scp -X /remote/path/to/scp /etc/passwd otherhost:/etc -m On Mon, Dec 18, 2000 at 03:48:45PM +0100, Jan IVEN wrote:> Hello, > > in order to use "scp", the scp binary has to be in the compile-time > default path on the remote host. For some users (like root), we try to > avoid this since scp may be on a network file system (AFS/NFS), and we > don't want to hang root's session on network outages. > > Would a patch to scp be acceptable in the main tree that allows to set > the path to remote scp explicity, either as a new command line or as > an ENV variable (it looks like a ssh config file parameter won't work, > since the file is not read by scp itself). > > I know that a workaround is to put "PATH=/path/to/bla" into these user's > .ssh/environment or as a parameter to their key, but I don't want this > PATH to be taken for interactive use. > > Please advise. > > Best regards > Jan Iven > > PS: a small patch so that /full/path/to/scp will find the > corresponding local /full/path/to/ssh is appended below. > > --- openssh/scp.c~ Sat Oct 28 05:19:58 2000 > +++ openssh/scp.c Tue Nov 7 17:59:37 2000 > @@ -245,7 +245,7 @@ > char *argv[]; > { > int ch, fflag, tflag; > - char *targ; > + char *targ, *pathsep; > extern char *optarg; > extern int optind; > > @@ -253,6 +253,19 @@ > addargs("ssh"); /* overwritten with ssh_program */ > addargs("-x"); > addargs("-oFallBackToRsh no"); > + > + /* check explicit path for ssh binary, default is SSH_PROGRAM */ > + if ((argc > 0) && > + (argv[0] != NULL)) { > + pathsep = strrchr(argv[0], '/'); > + if (pathsep != NULL) { > + pathsep++; > + *pathsep = 0; > + ssh_program = xmalloc(strlen(argv[0]) + 4); /* "../path" + "ssh\0" */ > + strcpy(ssh_program, argv[0]); > + strcat(ssh_program, "ssh"); > + } > + } > > fflag = tflag = 0; > while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:o:")) != EOF) > >