I recently 'hardened' two Ubuntu servers using Bastille, and now I get permission denied: scp whenever I try to scp files in.
- SSH login works fine.
- I've tried adding an /scp-dump folder with 777 permissions and still get the same error, so I don't believe it is a permission issue.
-
Tailing /var/log/auth.log doesn't really give any information, apart from
Oct 1 23:08:39 localhost sshd[20876]: Accepted publickey for some-user from [redacted ip] port 49250 ssh2 Oct 1 23:08:40 localhost sshd[20884]: Received disconnect from [redacted ip]: 11: disconnected by user
-
Using the -v flag with scp outputs the following:
Executing: program /usr/bin/ssh host some-domain.com, user (unspecified), command scp -v -t -- /scpdump OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011 debug1: Reading configuration data /Users/some-user/.ssh/config debug1: Reading configuration data /etc/ssh_config debug1: /etc/ssh_config line 20: Applying options for * debug1: Connecting to some-domain.com [12.34.56.78] port 22. debug1: Connection established. debug1: identity file /Users/some-user/.ssh/id_rsa type 1 debug1: identity file /Users/some-user/.ssh/id_rsa-cert type -1 debug1: identity file /Users/some-user/.ssh/id_dsa type -1 debug1: identity file /Users/some-user/.ssh/id_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1 debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.9 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA 8e:83:21:4a:9c:be:57:56:b1:07:5a:14:68:8a:47:dc debug1: Host 'some-domain.com' is known and matches the RSA host key. debug1: Found key in /Users/some-user/.ssh/known_hosts:17 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering RSA public key: /Users/some-user/.ssh/id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). Authenticated to some-domain.com ([12.34.56.78]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 debug1: Sending env LC_CTYPE = C debug1: Sending env LC_MESSAGES = en_AU.utf-8 debug1: Sending env LC_TIME = en_AU.utf-8 debug1: Sending env LC_MONETARY = en_AU.utf-8 debug1: Sending env LC_NUMERIC = en_AU.utf-8 debug1: Sending env LC_COLLATE = en_AU.utf-8 debug1: Sending command: scp -v -t -- /scpdump zsh:1: permission denied: scp debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0 debug1: channel 0: free: client-session, nchannels 1 debug1: fd 0 clearing O_NONBLOCK debug1: fd 1 clearing O_NONBLOCK Transferred: sent 2880, received 2504 bytes, in 0.6 seconds Bytes per second: sent 4563.7, received 3967.9 debug1: Exit status 126 lost connection
Any idea where the permission denied might be coming from, config files I can look into, or other logs I should be looking at?
Best Answer
zsh:1: permission denied: scp
looks like it is not allowed to runscp
on the remote side; check the permissions there. Have you tried runningscp
on that machine to pull the files from elsewhere (vs. push)?