Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix SCP support, but break jail #2

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix SCP support, but break jail #2

wants to merge 1 commit into from

Conversation

danielskowronski
Copy link

Fix SCP support, but break jail. Proposing this change anyway as I really needed support for SCP from an embedded system (some modern systems somehow issue SFTP even when scp client is called).

Unfortunately, OpenSSH allows jailing with SFTP by using a dirty hack - internal-sftp is a magic way to call internal SFTP process, allowing user to break the rules of ChrootDirectory, which require a set of files to be under path specified (things like binary specified in ForceCommand and basic /dev nodes).

At the same time, internal-sftp binary (/usr/lib/openssh/sftp-server) completely delegates jailing/chrooting to OpenSSH and has no command-line options to restrict what it can read/write.

On the other hand, scp can be somewhat jailed on its own (except symlinks, which should be doable by other tools on Linux) due to a fixed way it sends and receives files with -f, -t and -d.

Maybe some alternative SSH server should also be considered - I was originally hoping for the ability to Match selected subsystem and based on that set standard SFTP config or just leave ForceCommand with proxy script for SCP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@danielskowronski