/ BLOG / The problem with SCP

One of the technical questions I had at Blizzard was pertaining to locking down access to a file(s) so that only a given user could download them. I creatively suggested an SSL'ed vhost and some form of auth to get to the file(s). When asked about scp, I stated that scp required a valid shell, which isn’t always desired. This means that they can logon to the box.

This has been bugging me since yesterday, as it’s a bit of a hack. What if you have a centralised auth system and can state which shell to use? There must be some way to only allow scp. Having done some research, it appears that there is! Enter “scponly”. The only downside is that they’d need somewhere to logon to, in order to change passwords in the instance(s) of password expiry, should you wish to go down that route. Perhaps, in this case, it’s better for a sysadmin to track and perform account changes though.