[techtalk] Fix for "Can't SCP from behind a firewall"

Raven, amateur historian damask0 at yahoo.com
Fri Apr 27 10:30:55 EST 2001 

Heya --

     Recently, my husband and I experienced problems trying to scp from
behind our home firewall to our server (hosted elsewhere).  We
discovered our firewall was denying the return packets (they were
coming in on a privileged port).  My husband slightly modified the scp
code to allow the return traffic to come in on a non-priviliged port. 
He asked me to post his fix here so that anyone else with the same
problem can find it, since he's not on any Linux mailing lists.

Cheers,
Raven

*******
When using secure shell to connect to remote machines, I
discovered that my firewall was an impediment - not allowing
incoming traffic to privileged ports, it was denying all
the returned information from the remote machine.

Not wanting to weaken my firewall for such a vague purpose,
I looked in the manpages for ssh, and found the "-P" switch
to make it use only unprivileged ports (those numbered 1024
and above). All was happy.

Then I tried to use scp, (secure copy - transfers files
without sending plain-text password) which in turn uses 
ssh. The same problem turns up, but this time, there is no 
switch for unprivileged ports... And you can only give 
long-form options to ssh from scp. There are no long-form 
options for using only unprivileged ports. No apparent 
solution.

I'm using OpenSSH. I figure "It's open-source, this should
be an easy thing to fix."
And so it was. In the source files, I opened 'scp.c' and
poked around a bit, scrolling down looking for something
relevant. After about 20 seconds I found the options part,
starting 15 lines down from 'main'.
All I had to do was make scp pass "-P" as an option to ssh.
Two very easy changes; first, I changed
while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:o:")) != EOF)
to
while ((ch = getopt(argc, argv, "NdfprtvBCc:i:P:q46S:o:")) != EOF)

(adding that N, as the letter I choose to indicate Not Privileged)

then I added another 'case' to the 'switch';
  case 'N':
    addargs("-P");
    break;

That's all there was to it. I suppose I should have changed
the man-file too, but I don't want to touch that stuff.

In case anyone else is having this problem, I have this to
say for search engines; "How to make scp stop using privileged
ports by having it pass the -P option to ssh. Secure copy,
secure shell, firewall, privileged ports."

Thank you.

--RavenBlack                    http://www.ravenblack.net/
L33t Lunix Hax0r. Guaranteed.

=====
"So they sent away all the attractive people, because they
 were unholy.  And then all the unholy people began to 
 scromp."
 -- MadOontzGrrl, on Australian history

__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/

More information about the Techtalk mailing list