SFTP using a single use key.

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hey all.  Okay, first off, we are using the SSH Communications
client/server, *not OpenSSH*.  The version is "SSH Secure Shell 3.2.5
(non-commercial version)".  The source system we are trying to SFTP from
is an HP-UX 11.11 box and the destination system is a Solaris 9 box.
Here's the situation:

I have set up a key with no password (I know all the caveats about this,
but for the scenario we are in we are fine with it) to allow
passwordless ssh connection an account on the 2 servers.  Now I'm
wanting to limit the key to a single use by adding the Option command=""
in the authorization file on the destination system to just allow the
scp of a specific file from the source to the destination (i.e.
"scp file account@destination:").  With the SSH Com version, scp uses
the sftp subsystem, so what I need is the format that the scp command is
actually translated into so that I can put that command in the key.
Using the -vvv flag on scp to try and get me the command produces the

scp:Scp2/scp2.c:1816: argv[0] = /usr/local/bin/ssh2
scp:Scp2/scp2.c:1816: argv[1] = -l
scp:Scp2/scp2.c:1816: argv[2] = account
scp:Scp2/scp2.c:1816: argv[3] = -v
scp:Scp2/scp2.c:1816: argv[4] = -x
scp:Scp2/scp2.c:1816: argv[5] = -a
scp:Scp2/scp2.c:1816: argv[6] = -o
scp:Scp2/scp2.c:1816: argv[7] = clearallforwardings yes
scp:Scp2/scp2.c:1816: argv[8] = -o
scp:Scp2/scp2.c:1816: argv[9] = passwordprompt %U@%H's password:
scp:Scp2/scp2.c:1816: argv[10] = -o
scp:Scp2/scp2.c:1816: argv[11] = nodelay yes
scp:Scp2/scp2.c:1816: argv[12] = -o
scp:Scp2/scp2.c:1816: argv[13] = authenticationnotify yes
scp:Scp2/scp2.c:1816: argv[14] = destination.system.edu
scp:Scp2/scp2.c:1816: argv[15] = -s
scp:Scp2/scp2.c:1816: argv[16] = sftp

But putting the following in the command in the key doesn't work:

/usr/local/bin/ssh2 -l account -v -x -a -o "clearallforwardings yes" -o
"passwordprompt %U@%H's password:" -o "nodelay yes" -o
"authenticationnotify yes" destination.system.edu -s sftp

So, what am I missing here?  I've done this sort of thing in the past
with OpenSSH, but can't get the details down on this one.  Of course,
any search I get pretty much just returns details on OpenSSH.

Thanks in advance for your help,
Bob Jones

Re: SFTP using a single use key.

Quoted text here. Click to load it

This command is run on the *client*, in a subprocess by scp2, to contact
the remote side and start sftp-server.  You took it and put it as the
command to execute on the *server*.  All you want to run on the server is
the "sftp-server" program.  However, you will not be able to accomplish
what you want: unlike scp, the file to transfer is not given on the
command line, and there is no option you can give sftp-server to restrict
it in this way.

  Richard Silverman

Re: SFTP using a single use key.

Quoted text here. Click to load it

However, assuming the "subsystem" invocation is subject to the command=
semantics (is it?), I guess it should work to point command= at a
wrapper that fired up sftp-server (probably checking that this is
actually the attempted command first:-), and acted as a proxy for the
SFTP protocol, inspecting the commands received and rejecting anything
"improper". A bit more work than putting a fixed string in the key file

--Per Hedeland

Site Timeline