Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Tuesday September 28 2021, @07:07AM   Printer-friendly
from the OpenSSH dept.

OpenSSH 8.8 has been released and with it comes a heads up that there will be major changes to how the scp utility operates, starting in one of the next releases. Specifically, scp has been retooled to use the SFTP protocol under the hood. This will leave most behavior unchanged and most times there will be no perceived difference. However, some scripts which make use of globbing might need minor adjustment to work properly in the future:

A near-future release of OpenSSH will switch scp(1) from using the legacy scp/rcp protocol to using SFTP by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side.

This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug- compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol.

Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this.

The new behavior is now present in scp but currently off by default. It can be tested using the temporary -s option. Later, the -O option will force use of the original scp/rcp protocol for the cases where SFTP may be unavailable or incompatible.

Compared to scp/rcp, SFTP is a new protocol but only relatively speaking. Importantly, it has been engineered from the ground up to operate as securely as possible. In contrast, scp has been written without a formal specification other than to operate like the late rcp did, but over SSH. Currently, scp requires expansion of glob patterns using the remote system's shell. That can be eliminated by dropping scp and switching to SFTP beneath it all.

Previously:
(2019) Oh, SSH, IT Please see this: Malicious Servers can fsck with your PC's Files During scp Slurps
(2018) OpenSSH SFTP Chroot Code Execution
(2014) OpenSSH No Longer has to Depend on OpenSSL


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Interesting) by c0lo on Tuesday September 28 2021, @11:29AM

    by c0lo (156) Subscriber Badge on Tuesday September 28 2021, @11:29AM (#1182170) Journal

    Honest to God, cross-your-heart... if I would not have posted my comment, would the topic of your example popped into your mind as worthy to comment on?

    (I have this hunch you wouldn't, because you didn't consider important enough to open a special thread for it. It resembles more of a "Now that you mentioned it, how about..."
    Of course I can't be sure and of course I'm not judgemental no matter your answer)

    --
    https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
    Starting Score:    1  point
    Moderation   0  
       Interesting=1, Overrated=1, Total=2
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   2