Block files copies/SCP inside of SSH

[dspeck1]

trafficstars

Is your feature request related to a problem? Please describe. We need to block file copies inside of SSH. This is prevent data exfiltration. Maybe boundary supports this already? Does new double hop with private network support this?

Describe the solution you'd like Checkbox per user/group to enable/disable SCP support. This could also be global setting.

Describe alternatives you've considered Setting up bastion host.

Explain any additional use-cases We build secure data environments for customers and would add this.

Additional context Add any other context or screenshots about the feature request here.

[AdamBouhmad]

Hey @dspeck1, thanks for creating this issue. Since we don't already have an open issue for this, I'll label this as an enhancement.

One way to go about this would be to block based on ssh channel type at the worker, so when a user attempts to file transfer, the boundary proxy will reject the request. This would get into the realm of protocol decoding via SSH Typed targets, which are only available on HCP Boundary.

It also seems like #695 would be helpful here as well from an auditing perspective.

Is there another way to go about implementation here?