Doesn't matter, for a few reasons.
As others have pointed out, if you have ssh, then at best the removal of
scp will only make things inconvenient, and maybe not even that. For
example I regularly use the "tar | ssh" trick when I'm moving a lot of
files, it's easier than listing them all in scp.
Furthermore, one point of having a firewall is so that you don't have to
police an indefinite number of hosts so closely. Most companies would
see it as much easier to block a service at the firewall than to
constantly search network hosts for binaries they don't like.
Michael Erdely wrote:
>
> I just ran a test on my test server at home:
> I renamed scp to scp.old.
> >From a remote box, I ran: scp myhomeboxdef:test.txt test.txt
> response: bash: scp: command not found
>
> Hope that helps.
>
> -ME
>
> ----- Original Message -----
> From: "Damien Miller" <[EMAIL PROTECTED]>
> To: "H. Wade Minter" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Wednesday, March 7, 2001 6:10 AM
> Subject: Re: Block scp, allow ssh?
>
> > On Tue, 6 Mar 2001, H. Wade Minter wrote:
> >
> > > I've got an odd situation that may not have a solution, but I
> > > figured I'd ask anyway.
> > >
> > > Due to corporate requirements, my company's firewall policy blocks
> > > outgoing file transfers (FTP puts), but allows FTP gets and outgoing
> > > telnet. I don't like using telnet for the obvious reasons, so I
> > > suggested they enable outgoing SSH.
> > >
> > > They did for a few weeks, but killed it recently. When I asked why,
> > > they said it was because people can copy files out using scp without
> > > the firewall being able to monitor it.
> > >
> > > So my question is: Is there any way, on a firewall-type level, to
> > > block scp traffic, while allowing ssh and slogin? This would allow
> > > them to stop file copies, but let secure shells go through.
> >
> > There is no way to do this. By the time the firewall sees the connection,
> > its contents are encrypted.
> >
> > Furthermore, even if you were to somehow block the specific case of scp,
> > it would still be possible to copy files by cat'ing tar files about the
> > place. This is not unique to ssh, you can move files easily over just
> > about any connection (telnet included) using zmodem or kermit.
> >
> > -d
> >
> > --
> > | Damien Miller <[EMAIL PROTECTED]> \ ``E-mail attachments are the poor
> man's
> > | http://www.mindrot.org / distributed filesystem'' - Dan Geer
> >
> >
--
Michael Jinks, IB // Technical Entity // Saecos Corporation
Opinions expressed above are my own, and not those of my employer.
