Comments Page - Disable Your SSH access accidentally with scp

« Back Disable Your SSH access accidentally with scpsny.shSubmitted by zdw 4 days ago

chasil 2 hours ago
I have a few observations about this article.
Generally, try not to use SCP. It has been a crufty old program from the Berkeley R-Utilities, but newer OpenSSH releases have rewritten it to use the sftp-server server instead. There will be wildly different behavior between these implementations.
The backend SCP changes are documented here:
https://lwn.net/Articles/835962/
If you need something that SFTP cannot do, then use tar on both sides.
PuTTY has implemented their pscp to prefer the sftp-server for many years, in a long prediction of the eventual abandonment. Their pscp implementation is a better drop-in replacement than the OpenSSH solutions.
The allure of SCP is retry on failure, which is somewhat more difficult with SFTP:
```
  until scp source.txt user@target:dir/
  do echo target down; sleep 300
  done
```
Converting that to pscp is much easier than SFTP.
I also have an older rhel5 system where I am running tinysshd to use better SSH crypto. Due to upgrades, NFS is now squashing everything to nobody, so I had to disable precisely these checks to let users login with their authorized_keys. I can post the code if anybody is curious.
- elevation 10 minutes ago
  I occasionally use `scp` around my network and have for years. It works great and its simple interface is easy to remember. I don't want to sftp if I have to use tar on both sides. I might type rsync and but then I remember something about the trailing slash will cause the command to behave differently the second time. I just don't need yet another syntax I'll misremember. As long as scp is in my distro's repositories, I'll be using it.
- mistrial9 2 hours ago
  you sound so wise and produce excellent reference, but in the next breath you show NFS in use?
  signed -confused
  gchamonlive 10 minutes ago
  Why is it so self-evident that NFS is bad?
procaryote 3 hours ago
This is a useful tip!
but also... who has a dir with 777 permissions? Is that something people do nowadays?
- easterncalculus 2 hours ago
  My guess would be mounting an NTFS partition - with ntfs-3g it will load everything as 777 just by default, since it can’t translate the permissions.
- chasil 2 hours ago
  Well, everybody has 1777 as /tmp (with the sticky bit).
  $ ll -d /tmp drwxrwxrwt. 20 root root 4096 Mar 3 12:19 /tmp $ mkdir mytmp $ chmod 1777 mytmp $ ll -d mytmp drwxrwxrwt. 1 luser lgroup 0 Mar 3 12:19 mytmp
tracker1 an hour ago
I accidentally nuked my hosted server's network stack with a config error... my bigger mistake was generating a massive random password for the root account... the remote terminal management console didn't support pasting and the default config only gave you like 30s to login.... not fun at all.
Script all the things. double-check your scripts... always be backing up.
- jonathanlydall 5 minutes ago
  > the remote terminal management console didn't support pasting and the default config only gave you like 30s to login
  I would have used AutoHotkey or something similar in such a scenario.
- gchamonlive 7 minutes ago
  Also a gentle reminder that backups without periodic drills are just binary blobs. I had an instance where for some reason my Borg backups where corrupted. Only caught them with periodic drills.
zahlman 4 days ago
I assume using `./*` rather than `.` in the `scp` command would have worked around the issue?
- malicka 2 hours ago
  Yes, since it would’ve copied the globbed files, rather than the current directory itself.
LoganDark 36 minutes ago
You did not transfer the files within a directory. You transferred the directory itself, via `.`. That is why scp changed the permissions of your home directory itself; if you instead had transferred via `*` I am sure you would not have had this problem.
impure 2 hours ago
Ah, file permissions. My old friend. Good thing this happened on a 'local' server and not a remote VPS.
MomsAVoxell an hour ago
Done stupid stuff like this enough times that I just use tar, and also make a sandbox directory to receive it, to double-check whats going to happen, before un—tar’ing it again into the destination intended and/or do a manual move.
Too many burned fingers to not do this little dance almost every other time.
Actually, I lied, I just use rsync like an insane person.
crest 3 hours ago
It's nice to see people sharing their mistakes too.
sowbug 3 hours ago
Related: In my Bash logout script I have a chmod that fixes authorized_keys. It won't help with scp because that's non-interactive, but it has helped the other 999 times I've forgotten to clean up the mess I made during an ssh session.
TZubiri 2 hours ago
Getting locked out of a server must be a cannonical experienc in the sysadmin journey, like checking the logs to see you are being attacked as soon as your online, or trying to build your own linux from scratch without bloat.
roelschroeven 4 hours ago
tl;dr: I you scp -r to your homedir, expect scp to copy not just files and directories but their permissions as well (which I think isn't all that surprising).
- ranger_danger 3 hours ago
  It's not supposed to do that unless it's newly creating the destination, or you supplied the -p flag to preserve permissions... that's what the entire issue is about; it's a bug that was fixed in 10.3.
  Calzifer 2 hours ago
  I wouldn't even expect it on newly created stuff without the -p flag. Normal cp doesn't do it.
binaryturtle 4 hours ago
When I load the site in my (slightly older) Firefox I just get some random junk and gibberish (markov chain generated nonsense?)
<bleep> that nonsense!
- theblazehen 2 hours ago
  I suspect you're hitting the page where they're running https://iocaine.madhouse-project.org/
  Perhaps you got bot flagged or something