similar to: Developers word on SFTP/SCP chroot'ing?

Dear all I'm looking for instructions on how to setup a jailed chroot directory for user which needs to upload via scp to the server. Especially I miss clear instructions about what needs to be in the jailed directory available, like binaries, libraries, etc... Without jail I get it to work, but I want to prevent user downloading for example /etc folder from the server. Does anybody have a

-----Original Message----- From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Rainer Duffner Sent: Samstag, 21. Oktober 2017 00:41 To: CentOS mailing list Subject: Re: [CentOS] scp setup jailed chroot on Centos7 > Am 20.10.2017 um 15:58 schrieb Adrian Jenzer <a.jenzer at herzogdemeuron.com>: > > Dear all > > I'm looking for instructions on how to setup a

On 07/12/23, Philip Prindeville (philipp_subx at redfish-solutions.com) wrote: > We have a CLI that certain users get dropped into when they log in. One of the things they can go is generate certificates (actually .p12 key/certificate bundles) that they will then scp out of the box from another host. Off topic, and assuming the .p12 bundles need to be post-processed by clients for use by ssh,

Hi, my goal: sftp/scp only access, without the need for linux users. I want to provide 10 sftp/scp directories to 10 people. Let's call this "virtual account" I don't want to create linux users for each of them. I would like to create one linux user (backup_user). In his home-directory will be 10 directories. For each "virtual account" one directory. Every

I have not been able to get scp(1) to download a file with a newline in its name. I know that scp(1) requires that remote filenames be escaped for the shell, but that leads to protocol errors. I am also unable to get sftp(1) to handle such files. It fails with an ?unterminated quoted argument? error, no matter how I try to quote the newline. Furthermore, the SFTP CLI is not well-suited to

On Mon, 4 Nov 2019, David Newall wrote: > On 4/11/19 3:29 am, Demi M. Obenour wrote: > > I have not been able to get scp(1) to download a file with a newline > > in its name. I know that scp(1) requires that remote filenames be > > escaped for the shell, but that leads to protocol errors. > > I see something much worse: > > $ sudo sh > # echo

Damien, Reading the various articles about https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt have caused me to question the wisdom of using scp. Your observation: > Date: Tue, 22 Jan 2019 13:48:34 +1100 (AEDT) > From: Damien Miller <djm at mindrot.org> > Subject: Re: Status of SCP vulnerability > > "Don't use scp with untrusted

On 2020/08/05 16:17, raf wrote: > The problem is when, for example, you only have > scp/sftp access to a remote server, such as your bank, > and you use WinSCP to transfer transaction files to > them to be actioned (people do this where I work), and > the bank hasn't properly protected themselves from this > "vulnerability". I really hope all banks do take this >

On Mon, 2020-08-03 at 19:17 +0200, Thorsten Glaser wrote: > That would be the same as killing scp? Better that... than having an inherently insecure scp... or at least make it absolutely clear and rename it to i[nsecure]scp. If the core functionality of a program (which is here probably the "secure") is no longer given, then it's IMO better to rather cause breakage (at least for

I almost never use bare 'scp' or 'sftp' anymore; I start with either 'rsync' or, if 'rsync' is not present and not installable on one end or the other, the "tar-over-bare-ssh" approach: ``` tar cf - localpath | ssh remote.host 'cd remotepath && tar xvf -' ``` I'd be in favor of one of the following: 1. 'scp' goes away, and

Hi, On Thu, Jan 24, 2019 at 08:26:39PM +0000, Colin Watson wrote: > On Thu, Jan 24, 2019 at 12:00:48PM -0800, Jim Knoble wrote: > > 3. 'scp' stays, but becomes the CLI for SFTP, and the SCP protocol breaks. > > Why does "scp becomes the CLI for SFTP" necessitate "the SCP protocol > breaks"? The way scp works today is "run ssh to the remote,

we have CENTOS 5.X on server A and Server B. Both servers have Gigabit network card connect to same switch. I test network speed from Server A to Server B and found speed much difference: SFTP: 42 MB/Sec SCP: 20 MB/sec SCP command: scp -Crp -o CompressionLevel=1 user1 at ServerB:/TMP/File1 . Anyone know how to improve SCP speed?

On Tue, 4 Aug 2020, raf wrote: > In such cases, this vulnerability can be mitigated by > the use of an ssh-specific command whitelisting control > such as: Probably just as easy: give the user a restricted shell (/bin/rmksh) as shell and set their PATH etc. suitably, to not include any other commands. bye, //mirabilos PS: Full disclosure: I?m the mksh developer -- ?MyISAM tables

Hi ya'll- I'm having this weird problem with the new version of OpenSSH compiled on Solaris, version 4.3p2. SSH and SSHD work fine, all is well. But when I try to sftp or scp something I get this: % sftp bullitt Connecting to bullitt... command-line: line 0: Bad configuration option: PermitLocalCommand Connection closed % "PermitLocalCommand" doesn't appear in

On Wed, 15 Jul 2020, Red Cricket wrote: > I have had this in my .bashrc for years: > > alias scp='rsync -avzP' Similar, though I named it rcp because nobody has the real rcp installed any more, but sometimes I need scp to connect to systems that lack rsync. https://evolvis.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=shellsnippets/shellsnippets.git;a=blob;f=mksh/rcp;hb=HEAD >

Hi, We have a CLI that certain users get dropped into when they log in. One of the things they can go is generate certificates (actually .p12 key/certificate bundles) that they will then scp out of the box from another host. Problem is that if their default shell isn't sh, ash, dash, bash, zsh, etc. then things break. Is there a workaround to allow scp/sftp to continue to work even for

On Mon, 4 Nov 2019 at 14:07, David Newall <openssh at davidnewall.com> wrote: > [about scp] That's just awful, and I should have > thought it was not at all necessary. Am I missing something? > If you're saying that the scp protocol is an unfixable mess then the openssh team has been agreeing[0] with you for at least a decade and a half. We fix what we can, but some

On Thu, 2019-01-24 at 12:27 -0600, Ben Lindstrom wrote: > I know it isn't a "UI replacement" but it at least provides a more > complete UI for phasing people off of scp. I don't think this is an ideal solution... OpenSSH should be "overall" secure (that's what it's meant for), and especially not be a collection of tools/algos/etc. of which some(!) are

Hi, I was thinking about the difficulties and complexities of using chroot in scp or sftp-server, in order to limit the user in which files they can access. I've seen a lot of arguments about how it is pointless to try and secure scp or sftp (also from a logging perspective) because if we allow SSH access, the user can simply provide their own scp or sftp binary, that does not do the

I hear you - but it seems that the choice is between (a) limiting "scp" functionality to address the security vulnerability, and (b) killing "scp" altogether. I'd much prefer (a), even if it means I lose "scp remotehost:foo\* .". Especially, since (almost always) I have equal privileges on both local and remote hosts, so in that case I just originate that