Can the server admin see what I copy via SCP?
Not just the admin.
For testing, I just copied /bin
from my server to a temporary directory on my laptop. ps
on the server shows
$ ps 24096
PID TTY STAT TIME COMMAND
24096 ? Ss 0:00 scp -r -f /bin
This information is generally accessible to all users.
A ServerFault question is almost identical to this. Hopefully you checked before posting your question, but yours is a little different so I will answer here.
The short answer is that if ANYONE has access and permissions to an endpoint (the system you are scp
ing from or scp
ing to), they can see what happens. If they do not have access to either endpoint, they likely won't have access to or be able to decipher what you're doing (apart from potentially knowing the application by protocol numbers).
The answer is ultimately very dependent on your infrastructure. Most likely though, as long as there isn't intense monitoring and SCP isn't considered at threat in the company (which will throw up red flags), your traffic will go by unnoticed. This is especially true for smaller companies.
As @SimonRichter mentioned: if someone can execute a command on your system (ie. admin or others), they can check your process list and see the command line scp -args /filepath/
. However this requires that they be either logging all process activity or checking it at the time you are transferring. Additionally, if you are doing it from your own system at work to another system (say at home or elsewhere), they won't necessarily have that visibility.
Additionally, as @alex.forencich mentioned: It is also possible to log all system calls (including file open and read calls) so even if your copying program (scp, sftp, etc.) does not log or leak anything (command line arguments), it is still possible to figure out what files were read or written. See the linux audit system. –
scp
works with the help of code running on the server (sshd
, and scp
itself). That sever code is in theory completely in the control of the server admin, and the version of scp
running on the server to write the file down the connection to you, is separate from the version of scp
running on your machine to issue the request.
An administrator of the server could, just for an example, replace scp
on the server with a version that logs all requests, rather like a web server can write logs. Then they could see from those logs exactly what you copied.
Whether they have the expertise and the motivation to actually do this is less definite, but if they want to then in principle there's nothing to stop them.
I think these questions are companions to yours: https://security.stackexchange.com/questions/14782/is-there-an-easy-way-to-see-a-log-of-scp-activity-on-a-server-ala-var-log-secu, https://askubuntu.com/questions/659896/where-would-you-find-scp-logs
Although I don't know all the details, it seems that straight out of the box scp
and sshd
don't have options to log what you're asking about. So perhaps more is required than simple configuration, but you can't get away from the fact that admins control the server.