Scp Not Working through Firewall
Nick Venidis
test client and server machines with a firewall in between. I've read
through the tutorials, and I'm able to successfully establish ssh
sessions through my firewall from the client to the server. However, I
cannot get scp to work without errors through the firewall. It appears
to be some kind of path problem when the scp request is received on the
server (remote) system, but I cannot figure out how to solve it. I've
updated the path for all userids to find the scp command in
/usr/local/bin. Both the client and server test machines are AIX 4.3.2
and I have no problem finding the scp command when I'm locally logged in
to either of these machines. If I perform the AIX "which" command for
scp, it is instantly found. The following are the verbose messages from
both the client and server with sshd started in debug mode:
client:
$ scp -v -L /u/nickv/testdata
sptest.vendor.pok.ibm.com:/u/nickv/testdata2
Executing: host sptest.vendor.pok.ibm.com, user (unspecified), command
scp -v -2
SSH Version 1.2.27 [powerpc-ibm-aix4.3.2.0], protocol version 1.5.
Standard version. Does not use RSAREF.
bmnotes14.pok.ibm.com: Reading configuration data /etc/ssh_config
bmnotes14.pok.ibm.com: Applying options for *
bmnotes14.pok.ibm.com: ssh_connect: getuid 201 geteuid 0 anon 1
bmnotes14.pok.ibm.com: Connecting to sptest.vendor.pok.ibm.com
[129.40.19.194] .
bmnotes14.pok.ibm.com: Connection established.
bmnotes14.pok.ibm.com: Remote protocol version 1.5, remote software
version 1.27
bmnotes14.pok.ibm.com: Waiting for server public key.
bmnotes14.pok.ibm.com: Received server public key (768 bits) and host
key (1024.
bmnotes14.pok.ibm.com: Host 'sptest.vendor.pok.ibm.com' is known and
matches th.
bmnotes14.pok.ibm.com: Initializing random; seed file
/home/nickv/.ssh/random_sd
bmnotes14.pok.ibm.com: Encryption type: idea
bmnotes14.pok.ibm.com: Sent encrypted session key.
bmnotes14.pok.ibm.com: Installing crc compensation attack detector.
bmnotes14.pok.ibm.com: Received encrypted confirmation.
bmnotes14.pok.ibm.com: No agent.
bmnotes14.pok.ibm.com: Trying RSA authentication with key
'ni...@bmnotes14.pok.'
bmnotes14.pok.ibm.com: Received RSA challenge from server.
Enter passphrase for RSA key 'ni...@bmnotes14.pok.ibm.com':
bmnotes14.pok.ibm.com: Sending response to host key RSA challenge.
bmnotes14.pok.ibm.com: Remote: RSA authentication accepted.
bmnotes14.pok.ibm.com: RSA authentication accepted by server.
bmnotes14.pok.ibm.com: Sending command: scp -v -t /u/nickv/testdata2
bmnotes14.pok.ibm.com: Entering interactive session.
log: executing remote command as user nickv
Environment:
HOME=/home/nickv
USER=nickv
LOGNAME=nickv
PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin
MAIL=/var/spool/mail/nickv
SHELL=/usr/bin/ksh
TZ=EST5EDT
SSH_CLIENT=129.40.19.193 34884 22
AUTHSTATE=compat
LANG=C
LOCPATH=/usr/lib/nls/loc
NLSPATH=/usr/lib/nls/msg/%L/%N:/usr/lib/nls/msg/%L/%N.cat
LC__FASTMSG=true
ODMDIR=/etc/objrepos
ksh: scp: not found
bmnotes14.pok.ibm.com: Transferred: stdin 0, stdout 442, stderr 0 bytes
in 0.2 s
bmnotes14.pok.ibm.com: Bytes per second: stdin 0.0, stdout 2377.2,
stderr 0.0
bmnotes14.pok.ibm.com: Exit status 127
Server:
sptest:/ # sshd -d
debug: sshd version 1.2.27 [powerpc-ibm-aix4.3.2.0]
debug: Initializing random number generator; seed file
/etc/ssh_random_seed
log: Server listening on port 22.
log: Generating 768 bit RSA key.
Generating p: ..................................++ (distance 476)
Generating q: ...............++ (distance 236)
Computing the keys...
Testing the keys...
Key generation complete.
log: RSA key generation complete.
debug: Server will not fork when running in debugging mode.
log: Connection from 129.40.19.193 port 34884
debug: Client protocol version 1.5; client software version 1.2.27
debug: Sent 768 bit public key and 1024 bit host key.
debug: Encryption type: idea
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
debug: Attempting authentication for nickv.
log: RSA authentication for nickv accepted.
debug: Executing command 'scp -v -t /u/nickv/testdata2'
debug: Entering interactive session.
debug: Received SIGCHLD.
debug: End of interactive session; stdin 0, stdout (read 0, sent 0),
stderr 442
bytes.
debug: Command exited with status 127.
debug: Received exit confirmation.
log: Closing connection to 129.40.19.193
sptest:/ #
Any help or guidance would be appreciated.
Thanks
Nick Venidis
--
IBM
Poughkeepsie, NY
914-433-8281
ni...@us.ibm.com
David Kaczynski
wrote:
>Sorry for the newbie like question. I've installed ssh 1.2.27 on my
>test client and server machines with a firewall in between. I've read
>through the tutorials, and I'm able to successfully establish ssh
>sessions through my firewall from the client to the server. However, I
>cannot get scp to work without errors through the firewall. It appears
>to be some kind of path problem when the scp request is received on the
>server (remote) system, but I cannot figure out how to solve it. I've
>updated the path for all userids to find the scp command in
>/usr/local/bin. Both the client and server test machines are AIX 4.3.2
>and I have no problem finding the scp command when I'm locally logged in
>to either of these machines. If I perform the AIX "which" command for
>scp, it is instantly found. The following are the verbose messages from
>both the client and server with sshd started in debug mode:
Read the error messages carefully and the problem is clear. The Korn
shell is telling you that `scp` is not being found. Something is
missing in the PATH below... I'll give you a BIG hint... Change the
enviornment below so "/usr/local/bin" is in there.
>client:
>
>$ scp -v -L /u/nickv/testdata
[snip]
>bmnotes14.pok.ibm.com: Sending command: scp -v -t /u/nickv/testdata2
>bmnotes14.pok.ibm.com: Entering interactive session.
>log: executing remote command as user nickv
>Environment:
> HOME=/home/nickv
> USER=nickv
> LOGNAME=nickv
> PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> MAIL=/var/spool/mail/nickv
> SHELL=/usr/bin/ksh
> TZ=EST5EDT
> SSH_CLIENT=129.40.19.193 34884 22
> AUTHSTATE=compat
> LANG=C
> LOCPATH=/usr/lib/nls/loc
> NLSPATH=/usr/lib/nls/msg/%L/%N:/usr/lib/nls/msg/%L/%N.cat
> LC__FASTMSG=true
> ODMDIR=/etc/objrepos
>
>ksh: scp: not found
>bmnotes14.pok.ibm.com: Transferred: stdin 0, stdout 442, stderr 0 bytes
>in 0.2 s
>bmnotes14.pok.ibm.com: Bytes per second: stdin 0.0, stdout 2377.2,
>stderr 0.0
>bmnotes14.pok.ibm.com: Exit status 127
[snip]
Nick Venidis
Thanks for your reply. The problem turned out to be that /etc/environment on
the ssh server system was not updated with the path to the ssh binary
repository. As a test, I updated this system file, and scp worked without a
problem. However, this leads to another problem. The /etc/environment like
the /etc/profile file is a default system file that really should not be
altered. To change these defaults the end user should then make his own copy
of these files within his home directory, which I did, to include the path
for the ssh binaries. It appears that when an scp session connects with the
ssh server, that the end user's customized profile and environment files are
not read or executed. Is there a way to get scp to obey the end user's
specifications from his own files instead of the system default files?
Thanks
Nick Venidis
David Kaczynski wrote:
> On Tue, 10 Aug 1999 14:30:25 -0400, Nick Venidis <ni...@us.ibm.com>
> wrote:
>
> >Sorry for the newbie like question. I've installed ssh 1.2.27 on my
> >test client and server machines with a firewall in between. I've read
> >through the tutorials, and I'm able to successfully establish ssh
> >sessions through my firewall from the client to the server. However, I
> >cannot get scp to work without errors through the firewall. It appears
> >to be some kind of path problem when the scp request is received on the
> >server (remote) system, but I cannot figure out how to solve it. I've
> >updated the path for all userids to find the scp command in
> >/usr/local/bin. Both the client and server test machines are AIX 4.3.2
> >and I have no problem finding the scp command when I'm locally logged in
> >to either of these machines. If I perform the AIX "which" command for
> >scp, it is instantly found. The following are the verbose messages from
> >both the client and server with sshd started in debug mode:
>
> Read the error messages carefully and the problem is clear. The Korn
> shell is telling you that `scp` is not being found. Something is
> missing in the PATH below... I'll give you a BIG hint... Change the
> enviornment below so "/usr/local/bin" is in there.
>
> >client:
> >
> >$ scp -v -L /u/nickv/testdata
>
> [snip]
>
> >bmnotes14.pok.ibm.com: Sending command: scp -v -t /u/nickv/testdata2
> >bmnotes14.pok.ibm.com: Entering interactive session.
> >log: executing remote command as user nickv
> >Environment:
> > HOME=/home/nickv
> > USER=nickv
> > LOGNAME=nickv
> > PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > MAIL=/var/spool/mail/nickv
> > SHELL=/usr/bin/ksh
> > TZ=EST5EDT
> > SSH_CLIENT=129.40.19.193 34884 22
> > AUTHSTATE=compat
> > LANG=C
> > LOCPATH=/usr/lib/nls/loc
> > NLSPATH=/usr/lib/nls/msg/%L/%N:/usr/lib/nls/msg/%L/%N.cat
> > LC__FASTMSG=true
> > ODMDIR=/etc/objrepos
> >
> >ksh: scp: not found
> >bmnotes14.pok.ibm.com: Transferred: stdin 0, stdout 442, stderr 0 bytes
> >in 0.2 s
> >bmnotes14.pok.ibm.com: Bytes per second: stdin 0.0, stdout 2377.2,
> >stderr 0.0
> >bmnotes14.pok.ibm.com: Exit status 127
>
> [snip]
David Kaczynski
wrote:
>David,
>
>Thanks for your reply. The problem turned out to be that /etc/environment on
>the ssh server system was not updated with the path to the ssh binary
>repository.
Nick,
I'm not sure what flavor of UNiX you are using, but "/usr/local/bin"
should be, I think, configured to be in the PATH of all your users by
default.
>As a test, I updated this system file, and scp worked without a
>problem. However, this leads to another problem. The /etc/environment like
>the /etc/profile file is a default system file that really should not be
>altered. To change these defaults the end user should then make his own copy
>of these files within his home directory, which I did, to include the path
>for the ssh binaries. It appears that when an scp session connects with the
>ssh server, that the end user's customized profile and environment files are
>not read or executed.
It *should* be updated to respect that users' customized
profile/enviornment.
You are giving these files the correct name right (excuse me, I know
this is UNiX 101...). Like if you're using the BASH shell, it should
be "~/.bash_profile" or CSH, it'd be ".login"?
You can always double check by logging in via SSH to that users dir
you are trying to initiate the SCP command from/to and make sure that
the proper enviornment is there. If it's there when you SSH in, it
should be there if you SCP from there also.