EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SCP Access

Posted: 02/06/2014 10:47:35
by Daniel Bryars (Standard support level)
Joined: 01/22/2014
Posts: 9

One of my clients is trying to connect to our sFtp server application using linux.

They usually use a program called scp.

When they use scp it makes the SSH connection to the sFtp service and then hangs. I've recreated the problem on my development machine, the tail of the verbose output looks like this:

debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LC_ALL = en_US
debug1: Sending command: scp -v -t -- /FileSystem_Testing/FileSystem_Testing_Test/

I've noticed that there is no call to "OnOpenSubsystem" which occurs if I use the sftp application from linux.

Is scp supported? If not can I detect this in the server and send back an error saying it's not supported?


Posted: 02/06/2014 11:13:49
by Eugene Mayevski (Team)

SCP is not SFTP.
I don't know why your client decided that he can connect with SCP to your server if you only declare SFTP support.

SCP works by opening Shell connection and running an external application. The details of how SCP works are described here: http://en.wikipedia.org/wiki/Secure_copy

We don't have SCP support because it's not about security at all, neither it fits into SecureBlackbox architecture. Basically, it's an independent program which can send or receive files using SCP protocol. Potentially you can implement such program yourself and let it be run when the interactive shell is opened.

Sincerely yours
Eugene Mayevski
Posted: 02/06/2014 15:40:16
by Daniel Bryars (Standard support level)
Joined: 01/22/2014
Posts: 9

Okay that's clear thank you very much.

How do I intercept the scp command being sent ie

Sending command: scp -v -t -- /FileSystem_Testing/FileSystem_Testing_Test/

in my case I want to return an error to the client telling them it's not supported.

Currently the client just hangs.
Posted: 02/07/2014 00:17:52
by Eugene Mayevski (Team)

The server gets a request to open Shell or Command tunnel first. Then, if the tunnel is opened, the client sends its command. So you can either deny the tunnel opening request or, if your server supports shell commands in general, open the tunnel and then inspect the data sent by the client. The second way is obviously more complicated.

Sincerely yours
Eugene Mayevski
Posted: 02/07/2014 04:03:42
by Daniel Bryars (Standard support level)
Joined: 01/22/2014
Posts: 9

I don't support anything except sFTP.

How do I prevent the tunnel opening request? Please provide specifics.

I've looked at the code, and I don't understand why the OnOpenSubSystem isn't firing, but then I've noticed a couple of other events OnOpenShell or OnOpenCommand events, but I'm not sure why these are different. Currently I do nothing in these, I'm guessing I could terminate the connection here. But I really want to send a nice message back to the client, is there a standard way to do this, and if so please send me an example.
Posted: 02/07/2014 05:36:04
by Vsevolod Ievgiienko (Team)

How do I prevent the tunnel opening request?

You can do this inside TElSSHServer.OnBeforeOpenShell and TElSSHServer.OnBeforeOpenCommand event handlers.

but I'm not sure why these are different

The difference is that OnOpenShell is called before a shell is opened for a client and OnOpenCommand is called before a single command is executed on server side.
Posted: 02/07/2014 08:28:24
by Daniel Bryars (Standard support level)
Joined: 01/22/2014
Posts: 9

Thanks, that's great. I'm nearly there.

How do I provide an error message back to the client, and set the error code? My code is below, it correctly returns the error code to the client, but I can't work out how to specify a message too. I've picked 107 as my error code, I guessed at this. If you know of a better error code to signify "This isn't supported, go away" please can you tell me.

private void SshServerOnOnBeforeOpenCommand(object sender, TElSSHTunnelConnection connection, string command, ref bool accept)
            //Never allow any commands
            accept = false;

            String errorMessage = String.Format("DENIED: Command '{0}' is not supported. Your connection has been terminated, and your IP Address logged.", command);

            const int ERROR_SSH_SERVICE_NOT_AVAILABLE = 107;

            Boolean flushCachedData = true;
            connection.Close(ERROR_SSH_SERVICE_NOT_AVAILABLE, flushCachedData);                        
Posted: 02/07/2014 09:02:30
by Vsevolod Ievgiienko (Team)

ERROR_SSH_SERVICE_NOT_AVAILABLE is a good choice. Its not possible to specify a textual message.
Posted: 02/07/2014 09:21:03
by Daniel Bryars (Standard support level)
Joined: 01/22/2014
Posts: 9

Super, thanks for all your help and advice.



Topic viewed 1282 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!