From charlesreid1

This page covers a basic configuration for getting secure copy (SCP) working over an stunnel connection.

Overview

Setting up client

To set up the client, use an identical config script to Stunnel/SSH, except change the protocol from [ssh] to [scp]:

# client config,
# will ssh directly to local port 2222
# ssh -p 2222 root@localhost
# stunnel client connects to remote stunnel server at IP A.B.C.D over external port 443

output 	= /var/log/stunnel4/stunnel.log
cert 	= /usr/local/etc/stunnel/stunnel.fullchain.pem
key		= /usr/local/etc/stunnel/stunnel.key.pem
pid 	= /var/run/stunnel4/stunnel.pid
client  = yes
[scp]
accept 	= 2222
connect = 96.126.102.36:443

Now scp commands can be directed through port 2222 using CAPITAL P:

$ scp -P 2222 <...>

This will redirect the scp traffic to port 443, through stunnel, and on to port 22 on the remote server.

Setting up server

We want the stunnel server to listen over 443, and forward traffic to port 22 (scp uses same port as SSH).

Only thing different from Stunnel/SSH server config file is the protocol name:

# server config,
# stunnel server will listen for stunnel clients connecting on port 443
# traffic will be decrypted and forwarded to local port 22

output	= /var/log/stunnel4/stunnel.log
cert	= /etc/stunnel/stunnel.fullchain.pem
key		= /etc/stunnel/stunnel.key.pem
pid		= /var/run/stunnel4/stunnel.pid
client	= no
[scp]
accept	= 443
connect = 127.0.0.1:22

Now the stunnel server will be listening on port 443. Traffic received will be decrypted and sent along to port 22.


Testing scp over stunnel

Now we can test out scp over stunnel to make sure it works:

These two commands will create a dummy file and secure-copy it to zappa's user directory on the remote machine:

[client] $ echo "Secret stuff!" > secrets.file
[client] $ scp -P 2222 secrets.file zappa@remote:~/.
secret.file                                                    100%   22     0.3KB/s   00:00
[client] $

Note that if passwordless access has been set up between the remote and client machines, this will NOT ask the user for their password - excellent for exfiltrating data from a RaspberryPi to a command-and-control server.



Flags