Can the server admin see what I copy via SCP?

Not just the admin.

For testing, I just copied /bin from my server to a temporary directory on my laptop. ps on the server shows

$ ps 24096
  PID TTY      STAT   TIME COMMAND
24096 ?        Ss     0:00 scp -r -f /bin

This information is generally accessible to all users.


A ServerFault question is almost identical to this. Hopefully you checked before posting your question, but yours is a little different so I will answer here.

The short answer is that if ANYONE has access and permissions to an endpoint (the system you are scping from or scping to), they can see what happens. If they do not have access to either endpoint, they likely won't have access to or be able to decipher what you're doing (apart from potentially knowing the application by protocol numbers).

The answer is ultimately very dependent on your infrastructure. Most likely though, as long as there isn't intense monitoring and SCP isn't considered at threat in the company (which will throw up red flags), your traffic will go by unnoticed. This is especially true for smaller companies.

As @SimonRichter mentioned: if someone can execute a command on your system (ie. admin or others), they can check your process list and see the command line scp -args /filepath/. However this requires that they be either logging all process activity or checking it at the time you are transferring. Additionally, if you are doing it from your own system at work to another system (say at home or elsewhere), they won't necessarily have that visibility.

Additionally, as @alex.forencich mentioned: It is also possible to log all system calls (including file open and read calls) so even if your copying program (scp, sftp, etc.) does not log or leak anything (command line arguments), it is still possible to figure out what files were read or written. See the linux audit system. –


scp works with the help of code running on the server (sshd, and scp itself). That sever code is in theory completely in the control of the server admin, and the version of scp running on the server to write the file down the connection to you, is separate from the version of scp running on your machine to issue the request.

An administrator of the server could, just for an example, replace scp on the server with a version that logs all requests, rather like a web server can write logs. Then they could see from those logs exactly what you copied.

Whether they have the expertise and the motivation to actually do this is less definite, but if they want to then in principle there's nothing to stop them.

I think these questions are companions to yours: https://security.stackexchange.com/questions/14782/is-there-an-easy-way-to-see-a-log-of-scp-activity-on-a-server-ala-var-log-secu, https://askubuntu.com/questions/659896/where-would-you-find-scp-logs

Although I don't know all the details, it seems that straight out of the box scp and sshd don't have options to log what you're asking about. So perhaps more is required than simple configuration, but you can't get away from the fact that admins control the server.

Tags:

Ssh

Scp