How to disable SCP ? - SSH

This is a discussion on How to disable SCP ? - SSH ; I can disable sftp by modified the /etc/ssh/sshd_config but,how to disable scp? any suggestion?...

+ Reply to Thread
Results 1 to 7 of 7

Thread: How to disable SCP ?

  1. How to disable SCP ?


    I can disable sftp by modified the /etc/ssh/sshd_config
    but,how to disable scp?
    any suggestion?



  2. Re: How to disable SCP ?

    If I recall correctly, scp works by connecting to the other machine by
    ssh and then invoking the copy of scp on the other side. If you
    change the permissions of scp so that the appropriate user (sshd or
    the logging in user, I can't remember) cannot execute it on the server
    side, then clients shouldn't be able to scp. This has the side effect
    of stopping server-side users from using scp too, which is probably
    what you want.


    ~Ed

  3. Re: How to disable SCP ?

    rong wrote:

    > I can disable sftp by modified the /etc/ssh/sshd_config
    > but,how to disable scp?


    As long as the remote users can execute arbitrary commands on the
    server it makes no sense to try to disable scp. Its functionality can
    easily be substituted by standard userspace utilities. And as soon as
    you restrict the commands that can be executed by a user (e.g. by using
    the "command" option in an an authorized_keys file) the respective user
    cannot use scp any more as well unless it is allowed explicitly.

    Paul

  4. Re: How to disable SCP ?

    >>>>> "PH" == Paul Hink writes:

    PH> rong wrote:
    >> I can disable sftp by modified the /etc/ssh/sshd_config but,how to
    >> disable scp?


    PH> As long as the remote users can execute arbitrary commands on the
    PH> server it makes no sense to try to disable scp. Its functionality
    PH> can easily be substituted by standard userspace utilities...

    The same is true of sftp as well. Standard sftp clients invoke the server
    using the subsystem mechanism, but you can easily arrange to run
    sftp-server directly.

    --
    Richard Silverman
    res@qoxp.net


  5. Re: How to disable SCP ?


    "Richard E. Silverman" wrote in message
    news:m28xw05qzs.fsf@darwin.oankali.net...
    >>>>>> "PH" == Paul Hink writes:

    >
    > PH> rong wrote:
    > >> I can disable sftp by modified the /etc/ssh/sshd_config but,how to
    > >> disable scp?

    >
    > PH> As long as the remote users can execute arbitrary commands on the
    > PH> server it makes no sense to try to disable scp. Its functionality
    > PH> can easily be substituted by standard userspace utilities...
    >
    > The same is true of sftp as well. Standard sftp clients invoke the server
    > using the subsystem mechanism, but you can easily arrange to run
    > sftp-server directly.


    An SSH chroot cage such as that at http://sourceforge.net/projects/jail are
    a useful way to set up a locally restricted environment: Create a local
    homedir on the target machine that lacks cat, cp, rsync, and other basic
    file system tools and you can restrict such abilities, along with making the
    user homedir not owned by them and impervious to writing.

    Are you worried about copying *by* the user, or the user copying things *to*
    the server? If you want that kind of limited access, you might consider
    using WebDAV over HTTPS instead of SSH. I've had good success creating
    read-only or write-limited access to restricted directories this way.



  6. Re: How to disable SCP ?

    Richard E. Silverman wrote:

    >>>>>> "PH" == Paul Hink writes:

    >
    > PH> rong wrote:
    > >> I can disable sftp by modified the /etc/ssh/sshd_config but,how to
    > >> disable scp?

    >
    > PH> As long as the remote users can execute arbitrary commands on the
    > PH> server it makes no sense to try to disable scp. Its functionality
    > PH> can easily be substituted by standard userspace utilities...
    >
    > The same is true of sftp as well.


    Yes, of course it is.

    Paul

  7. Re: How to disable SCP ?



    I see.
    Thank you for all.




+ Reply to Thread