Work around insufficient remote permissions when SCPing

Tuesday, September 30th, 2014

Here’s a problem I often run into:

• I need to copy files from a remote system to my local system.
• I have root access to the remote system via sudo or su, but not directly via SSH.
• I don’t have enough permissions to read the remote files as a normal user; I need to be root.
• There isn’t enough space to copy the files to a temp dir and change their ownership.

One solution is to use sudo tar remotely and output the tar file on stdout:

fboender@local$ ssh fboender@example.com "sudo tar -vczf - /root/foo" > foo.tar.gz

This relies on the remote host allowing X11 forwarding though, and you have to have an SSH askpass program installed. Half of the time, I can’t get this work properly.

An easier solution is to build a reverse remote tunnel:

fboender@local$ ssh -R 19999:localhost:22 fboender@example.com

This maps the remote port 19999 on example.com to my local port 22. That means I can now access the SSH server running locally from the remote server by SSHing to port 19999. For example:

fboender@example.com$ scp -P 19999 -r /root/foo fboender@127.0.0.1
Password: 

There you go. Easy as pie.