[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Duplicity-tracker] [bug #26464] use only sftp, not scp too?

From: Colin Watson
Subject: [Duplicity-tracker] [bug #26464] use only sftp, not scp too?
Date: Wed, 06 May 2009 16:23:09 +0000
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv: Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10

Follow-up Comment #4, bug #26464 (project duplicity):

ChrootDirectory actually already does apply to all of ssh, although it's more
painful to use with anything other than the internal SFTP server as you have
to set up a chroot environment and keep it up to date with security patches.
The debian-administration article doesn't make this especially clear, although
it links to a clearer message from the upstream developers, which incidentally

  "A limitation of the chroot support is that the in-process sftp server does
not support scp(1) transfers. scp is a really busted protocol and it would be
a fair bit more work to build it in in the way we have built in sftp. It is
still possible to support chrooted scp, but administrators will need to
populate the chroot environment manually. Please use sftp instead."

The problem with using the scheme I was trying to use with duplicity isn't
that ChrootDirectory doesn't work for scp (though, as I said, it's more
painful), but rather that you can't have more than one forced command for a
single key. I can't simultaneously say command="internal-sftp" and
command="scp ..." (and in any case the scp protocol is so dreadful that you
*have* to use a wrapper if you want to restrict a given key to only scp
anyway; it operates by running another instance of scp on the server with a
slew of command-line arguments). As I say, things like rssh exist but I
consider them kludges and would prefer to avoid them. Using just sftp on the
client side would mean that command="internal-sftp" would be straightforward.

No rush on this or anything! I just wanted to file a bug about it while it
was on my mind. Thanks.


Reply to this item at:


  Message sent via/by Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]