openssh unix dev - May 2008 - scp local/remote external calls

I'm a bit confused how scp works... could someone please explain the 
local/remote external calls that happen when scp is started... in 
particular how it relates to ssh on the remote site?

To be more specific...

I use Kerberos for authentication and I've been working on an ssh wrapper 
script that checks my Kerberos credentials before running the ssh command. 
If the credentials are missing or expired it gives a more appropriate 
message... something a bit more obvious then the standard "Permission 
denied" message from ssh.

So... lets say this ssh wrapper is called "ssh" and it's in my
$HOME/bin
dir (which is first on my PATH).

I have (for the sake of this discussion) 2 boxes... box1 and box2.  The 
ssh wrapper script exists ONLY on box2.

If I do an scp FROM box1 (which does NOT have this wrapper script) to box2 
AND my credentials have expired on box2, scp will fail with a message that 
my credentials have expired (which comes from my wrapper script)... which 
obviously means somehow my ssh wrapper on box2 was run.  This leads me to 
the conclusion that running scp on box1 to box2 somehow starts the ssh 
client on box2.

Is that correct?  Is so, could someone please outline exactly what happens 
both local and remote when scp is run.

Thanks.

petesea at bigfoot.com wrote:
> I'm a bit confused how scp works... could someone please explain the 
> local/remote external calls that happen when scp is started... in 
> particular how it relates to ssh on the remote site?
> 
> To be more specific...
> 
> I use Kerberos for authentication and I've been working on an ssh
wrapper
> script that checks my Kerberos credentials before running the ssh command. 
> If the credentials are missing or expired it gives a more appropriate 
> message... something a bit more obvious then the standard "Permission 
> denied" message from ssh.
> 
> So... lets say this ssh wrapper is called "ssh" and it's in
my $HOME/bin
> dir (which is first on my PATH).
> 
> I have (for the sake of this discussion) 2 boxes... box1 and box2.  The 
> ssh wrapper script exists ONLY on box2.
> 
> If I do an scp FROM box1 (which does NOT have this wrapper script) to box2 
> AND my credentials have expired on box2, scp will fail with a message that 
> my credentials have expired (which comes from my wrapper script)... which 
> obviously means somehow my ssh wrapper on box2 was run.  This leads me to 
> the conclusion that running scp on box1 to box2 somehow starts the ssh 
> client on box2.
> 
> Is that correct?  Is so, could someone please outline exactly what happens 
> both local and remote when scp is run.
Basically, there's 3 cases.  From your example above:

1) box1$ scp /foo /bar

This is a local-to-local copy.  scp just invokes cp to do the copy, and 
no ssh connection is involved.


2) box1$ scp /foo box2:/bar

This is a local-to-remote copy.  scp on box 1 invokes "ssh box2 scp -t 
/bar".  You end up with the following processes involved:

scp(box1) -> ssh(box1) -tcp-> sshd(box2) -> scp(box2).

The same applies is true for remote-to-local copies, the only difference 
being the arguments given to the remote scp.


3) box1$ scp box2:/foo box3:/bar

This is a remote-to-remote copy.  scp on box1 runs the equivalent of 
"ssh box2 scp /foo box3:/bar.  You end up with

scp(box1) -> ssh(box1) -tcp-> sshd(box2) -> scp(box2) -> ssh(box2) 
-tcp-> sshd(box3) -> scp(box3).

(The "->" denotes a local pipe or socketpair, depending on your
platform.)

So in your example, if you run:

box1$ scp box2:/foo box1:/bar

then ssh is being invoked on box2 because it's case #3 above.  What 
exact command are you using?  If you add "-v" to the scp command line 
then you can see what it runs under the covers.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.