Allow scp but not ssh

lostngone · ‎06-12-2014

With an ASA is there a way for it to allow scp(port 22) traffic from a host to another host but deny ssh(port 22)? Obviously this an encrypted protocol but I do not know if there is some difference between the two that can be matched.

nkarthikeyan · ‎06-13-2014

Hi,

This is quite tricky but SCP is a protocol which uses SSH for data transfers. As per my knowledge it cannot be seperated. Rather SSH can be limited on the end devices or you can make the different port number to use SCP transfers.

A Quick and Brief information on how SCP works:

Normally, a client initiates an SSH connection to the remote host, and requests an SCP process to be started on the remote server. The remote SCP process can operate in one of two modes: source mode, which reads files (usually from disk) and sends them back to the client, or sink mode, which accepts the files sent by the client and writes them (usually to disk) on the remote host. For most SCP clients, source mode is generally triggered with the -f flag (from), while sink mode is triggered with -t (to).^[2] These flags are used internally and are not documented outside the SCP source code.

Hope this helps

Regards

Karthik

Marius Gunnerud · ‎06-13-2014

I do not believe what you want to do is possible while keeping port 22 in use for both. I suggest changing the port used for either SSH or SCP and then deny the port that the SSH protocol uses (22 unless that is the one you changed).

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts