openssh unix dev - Jul 2000 - scp over 2 hosts

Hi folks,

I have the that I must copy some through a Plag-Gateway of a Firewall over 2
host. A secure connection via "ssh - t hosta ssh -t hostb" works fine,
but does this work with scp too? Icould not realize it either with scp (1.2.27
of ssh.com) or scp from openssh. Do you have any ideas?

Thanks
Stephan

Stephan Hendl wrote:
> 
> Hi folks,
> 
> I have the that I must copy some through a Plag-Gateway of a Firewall over
> 2 host. A secure connection via "ssh - t hosta ssh -t hostb"
works fine,
> but does this work with scp too? Icould not realize it either with scp
> (1.2.27 of ssh.com) or scp from openssh. Do you have any ideas?
My firewall blocks incoming connections to low ports so I have to use 
"ssh -P host1" to tell ssh to use a high numbered port.  The
commercial
ssh's scp includes the -L option to do the same (scp -L host1:file
host2:file), but OpenSSH's scp is missing this option.  Attached is a patch
I submitted to the list a week or two ago that adds the -L option to scp.

Hope this helps!
-------------- next part --------------
--- openssh-2.1.1p2.orig/scp.c	Thu Jun 22 06:32:32 2000
+++ openssh-2.1.1p2/scp.c	Fri Jul  7 12:28:27 2000
@@ -8,6 +8,11 @@
  *
  * 1995 Timo Rinne <tri at iki.fi>, Tatu Ylonen <ylo at cs.hut.fi>
  *
+ * Changes:
+ *
+ * 2000/7/7  Jason Spangler <jasons at usemail.com>
+ * Added nonprivilaged port option -L that passes -P option to SSH
+ *
 */
 
 /*
@@ -93,6 +98,9 @@
    and passphrase queries are not allowed). */
 int batchmode = 0;
 
+/* This is set to non-zero if a non-privilaged port is desired. */
+int nonprivilaged_port = 0;
+
 /* This is set to the cipher type string if given on the command line. */
 char *cipher = NULL;
 
@@ -161,6 +169,8 @@
 			args[i++] = "-C";
 		if (batchmode)
 			args[i++] = "-oBatchMode yes";
+		if (nonprivilaged_port)
+			args[i++] = "-P";
 		if (cipher != NULL) {
 			args[i++] = "-c";
 			args[i++] = cipher;
@@ -252,7 +262,7 @@
 	extern int optind;
 
 	fflag = tflag = 0;
-	while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46")) != EOF)
+	while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46L")) != EOF)
 		switch (ch) {
 		/* User-visible flags. */
 		case '4':
@@ -300,6 +310,9 @@
 		case 'q':
 			showprogress = 0;
 			break;
+		case 'L':
+			nonprivilaged_port = 1;
+			break;
 		case '?':
 		default:
 			usage();
@@ -406,16 +419,18 @@
 				else if (!okname(suser))
 					continue;
 				(void) sprintf(bp,
-					       "%s%s -x -o'FallBackToRsh no' -n -l %s %s %s %s
'%s%s%s:%s'",
+					       "%s%s%s -x -o'FallBackToRsh no' -n -l %s %s %s %s
'%s%s%s:%s'",
 					       SSH_PROGRAM, verbose_mode ? " -v" : "",
+					       nonprivilaged_port ? " -P" : "",
 					       suser, host, cmd, src,
 					       tuser ? tuser : "", tuser ? "@" : "",
 					       thost, targ);
 			} else {
 				host = cleanhostname(argv[i]);
 				(void) sprintf(bp,
-					       "exec %s%s -x -o'FallBackToRsh no' -n %s %s %s
'%s%s%s:%s'",
+					       "exec %s%s%s -x -o'FallBackToRsh no' -n %s %s %s
'%s%s%s:%s'",
 					       SSH_PROGRAM, verbose_mode ? " -v" : "",
+					       nonprivilaged_port ? " -P" : "",
 					       host, cmd, src,
 					       tuser ? tuser : "", tuser ? "@" : "",
 					       thost, targ);
--- openssh-2.1.1p2.orig/scp.1	Wed Apr 12 21:26:37 2000
+++ openssh-2.1.1p2/scp.1	Fri Jul  7 12:25:32 2000
@@ -106,6 +106,14 @@
 Forces
 .Nm
 to use IPv6 addresses only.
+.It Fl L
+Use a non-privileged port for outgoing connections.
+This can be used if your firewall does
+not permit connections from privileged ports.
+Note that this option turns off
+.Cm RhostsAuthentication
+and
+.Cm RhostsRSAAuthentication .
 .Sh AUTHORS
 Timo Rinne <tri at iki.fi> and Tatu Ylonen <ylo at cs.hut.fi>
 .Sh HISTORY
--- openssh-2.1.1p2.orig/scp.0	Sat Jul  1 04:43:10 2000
+++ openssh-2.1.1p2/scp.0	Fri Jul  7 12:27:42 2000
@@ -56,6 +56,11 @@
 
      -6      Forces scp to use IPv6 addresses only.
 
+     -L      Use a non-privileged port for outgoing connections.  This can be
+             used if your firewall does not permit connections from privileged
+             ports.  Note that this option turns off RhostsAuthentication and
+             RhostsRSAAuthentication.
+
 AUTHORS
      Timo Rinne <tri at iki.fi> and Tatu Ylonen <ylo at cs.hut.fi>

I dunno, if scp doesn't work, then you can always do the following:

copy from:
ssh hosta ssh hostb cat /tmp/yourfile > yourfile

copy to:
cat yourfile | ssh hosta ssh hostb "cat > /tmp/yourfile"

I use this to perform backups / remote restorations (replacing cat with
tar).

Stephan Hendl wrote:
> 
> Hi folks,
> 
> I have the that I must copy some through a Plag-Gateway of a Firewall over
2 host. A secure connection via "ssh - t hosta ssh -t hostb" works
fine, but does this work with scp too? Icould not realize it either with scp
(1.2.27 of ssh.com) or scp from openssh. Do you have any ideas?
> 
> Thanks
> Stephan

On Thu, 20 Jul 2000, Stephan Hendl wrote:
> Hi folks,
> 
> I have the that I must copy some through a Plag-Gateway of a Firewall
> over 2 host. A secure connection via "ssh - t hosta ssh -t hostb"
> works fine, but does this work with scp too? Icould not realize it
> either with scp (1.2.27 of ssh.com) or scp from openssh. Do you have
> any ideas?
Yes, I do the following

scp jdoe at firewall:joe at myserver:/tmp/source /tmp/dest

I use Kerberos authentication, however.  I wrote the following note for
some internal documentation for F-Secure SSH.  It may very well apply to
OpenSSH:

SCP uses the same communications channel for transferring data that would
be used to prompt the user for a password. Further, the standard SCP
client insists on not forwarding RSA authentication or X-windows.
Therefore the above commands will normally work only if the internal
machine (myserver) accepts Kerberos tickets. To allow scp to work with RSA
keys or open a password authentication X-Window (using ssh-askpass), you
will need to do the following:

   1.Download the scpssh Perl script to the client and remember the path
to where you save it. 

   2.Make scpssh executable: 

        chmod +x /path/to/scpssh

   3.Always begin SCP commands with the -S option and the pathname of the
scpssh: 

        scp -S /path/to/scpssh

The scpssh script is as follows:

#!/usr/local/bin/perl
while ($_ = shift(@ARGV)) {
        if ($_ eq "-x") {
                next;
        } elsif ($_ eq "-a") {
                next;
        } elsif ($_ eq "-oClearAllForwardings yes") {
                next;
        } else {
                push(@args, $_);
        }
}
exec("/usr/local/bin/ssh", @args);



-- 
Mike Fisk, RADIANT Team, Network Engineering Group, Los Alamos National Lab
See http://home.lanl.gov/mfisk/ for contact information