Debian Bug report logs - #282339
single-purpose file transfer keys

Reply or subscribe to this bug.

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: Borna Novak <[email protected]>

To: Debian Bug Tracking System <[email protected]>

Subject: scp: single-purpose keys for scp

Date: Sun, 21 Nov 2004 14:25:44 +0100

Package: ssh
Version: 1:3.8.1p1-8
Severity: wishlist

AFAIK, single-purpose keys are aplicable only to "normal" ssh sessions?
It would be a very useful feature if it were possible to create keys that would apply only to specific pairs of local_files=>remote_files as a "safe" automated way to transfer root-only readable system files on small networks (/etc/shadow, ...).

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i586)
Kernel: Linux 2.4.27-1-k6
Locale: LANG=hr_HR.UTF-8, LC_CTYPE=hr_HR.UTF-8

Versions of packages ssh depends on:
ii  adduser                     3.59         Add and remove users and groups
ii  debconf                     1.4.30.5     Debian configuration management sy
ii  dpkg                        1.10.23      Package maintenance system for Deb
ii  libc6                       2.3.2.ds1-16 GNU C Library: Shared libraries an
ii  libpam-modules              0.76-22      Pluggable Authentication Modules f
ii  libpam-runtime              0.76-22      Runtime support for the PAM librar
ii  libpam0g                    0.76-22      Pluggable Authentication Modules l
ii  libssl0.9.7                 0.9.7d-4     SSL shared libraries
ii  libwrap0                    7.6.dbs-6    Wietse Venema's TCP wrappers libra
ii  zlib1g                      1:1.2.1.1-7  compression library - runtime

-- debconf information:
  ssh/insecure_rshd:
  ssh/privsep_ask: true
* ssh/user_environment_tell:
* ssh/forward_warning:
* ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/SUID_client: true
* ssh/privsep_tell:
  ssh/ssh2_keys_merged:
* ssh/protocol2_only: false
  ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true

Message #10 received at [email protected] (full text, mbox, reply):

From: Colin Watson <[email protected]>

To: Borna Novak <[email protected]>

Cc: [email protected], [email protected]

Subject: Re: scp: single-purpose keys for scp

Date: Tue, 31 May 2005 21:50:36 +0100

retitle 282339 single-purpose file transfer keys
tags 282339 upstream
thanks

On Sun, Nov 21, 2004 at 02:25:44PM +0100, Borna Novak wrote:
> Package: ssh
> Version: 1:3.8.1p1-8
> Severity: wishlist
> 
> AFAIK, single-purpose keys are aplicable only to "normal" ssh sessions?
> It would be a very useful feature if it were possible to create keys
> that would apply only to specific pairs of local_files=>remote_files
> as a "safe" automated way to transfer root-only readable system files
> on small networks (/etc/shadow, ...).

The scp protocol is fixed, and doesn't support this kind of thing as far
as I know; sftp would be the place to do this.

You should be able to create a key that will only let you scp to a
particular target file (use strace to see what command scp is executing
on the remote host, and copy that), which is about the best you can do
given that the remote sshd can't do any better than trusting what the
client says about where the file came from. I agree that this is not
very flexible; it'd be a sizable piece of upstream development to fix,
though ...

Cheers,

-- 
Colin Watson                                       [[email protected]]

Send a report that this bug log contains spam.