OpenSSH 8.8 has been released and with it comes a heads up that there will be major changes to how the scp utility operates, starting in one of the next releases. Specifically, scp has been retooled to use the SFTP protocol under the hood. This will leave most behavior unchanged and most times there will be no perceived difference. However, some scripts which make use of globbing might need minor adjustment to work properly in the future:
A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side.
This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug- compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol.
Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this.
The new behavior is now present in scp but currently off by default. It can be tested using the temporary -s option. Later, the -O option will force use of the original scp/rcp protocol for the cases where SFTP may be unavailable or incompatible.
Compared to scp/rcp, SFTP is a new protocol but only relatively speaking. Importantly, it has been engineered from the ground up to operate as securely as possible. In contrast, scp has been written without a formal specification other than to operate like the late rcp did, but over SSH. Currently, scp requires expansion of glob patterns using the remote system's shell. That can be eliminated by dropping scp and switching to SFTP beneath it all.
Previously:
(2019) Oh, SSH, IT Please see this: Malicious Servers can fsck with your PC's Files During scp Slurps
(2018) OpenSSH SFTP Chroot Code Execution
(2014) OpenSSH No Longer has to Depend on OpenSSL
(Score: 4, Interesting) by janrinok on Tuesday September 28 2021, @10:34AM (2 children)
If you are not a programmer, administrator, or a frequent user of the command line it will probably not affect how you use your computer.
However, for those working in such roles this is an important issue. It is quite possible, as Canopic Jug has pointed out, that scripts that are in frequent use might suddenly stop working the way that we expect them to. I don't know what proportion of our community this story will affect currently but in the past it was certainly a significant chunk - so much so that we actually have the Sortware topic for such stories.
But not all stories interest everyone in our community. We have stretched the definitions to allow a relatively wide span of topics to be discussed, but this is precisely the sort of discussion that many enjoyed in the early days of the site. It is informative and, for some, might be an important topic if scp is used in their daily professional work where this might actually result in a company experiencing an unexpected problem.
(Score: 1, Offtopic) by c0lo on Tuesday September 28 2021, @11:11AM
I'm making quite a good living software-engineering new things (not jusr programming them). Not that doing so necessary require the use of ssh or scp, it has been quite a long time since I needed it. You see, the use of a SCM (e.g. git) is much more prevalent in the category of "File operations" and automatic deploy are more frequently done with specific tools.
I'm not saying those kind of stories don't have a good role. But I don't expect extensive comments on such a story, it's mostly "informational" in nature (this is why my use of "public community announcement").
I didn't suggest to eliminate them completely, just don't let them live alone on the top for a whole 3 hours or whatever the cadence of publishing new stories, I don't think they worth it.
Well, times change. The latest ones that I'm seeing, barely make 5 comments and it's not unusual to find a couple of "Frost piss" vandalism among those comments.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 4, Informative) by fliptop on Tuesday September 28 2021, @11:48AM
I use scp every day, many times per day, to move files around between machines. I've been doing sysadmin since the late 90's and a lot of my legacy scripts use it for copying db dumps to the backup server. I use rsync too for static files and mail backups, but I like having a separate cron job for copying db dumps so the report of what happened doesn't get buried in a mile-long rsync report.
To me, stories like this are much appreciated.
Our Constitution was made only for a moral and religious people. It is wholly inadequate to the government of any other.