scp removed?

[saski4711]

Hello,

I've noticed that scp is no longer availble on my system. Has it been removed or replaced with recent package updates or is it just me?

Stuck by Neddyseagoon.
Its bound to cause a bit of an upset when users discover that scp is gone by default.

[fedeliallalinea]

You can active it with scp use flag see https://bugs.gentoo.org/733802

[Ionen]

There's talk on gentoo-dev to put add some form of warning/news about this but those on ~testing may get the surprise if not paying attention to new USE flags meanwhile (hasn't reached stable yet).

Given upstream has no intention to fix this not to break scp's normal functionality, a opt-in USE=scp for awareness seem like a reasonable solution.

[saski4711]

Thank you for the scoop. scp is back on my system!

[fedeliallalinea]

There's talk on gentoo-dev to put add some form of warning/news about this but those

For info https://archives.gentoo.org/gentoo-dev/ ... 7d0679b8a6

[NeddySeagoon]

scp has gone from testing by default and upstream want to phase it out.
Its only a matter of time until its dropped.

The writing is on the wall. Its time to find something else, like rsync over ssh.

[Ant P.]

sftp still works fine. net-fs/sshfs uses it, if you're too lazy to learn the syntax.

[cboldt]

sftp appears to use the same syntax as scp - at least it works the same here for the occasional one or few file transfers.

For those wondering where the USE flag applies, scp and sftp are both provided by net-misc/openssh

[Ionen]

^ same'ish syntax only works for downloads as far as I know, for uploads you'd need a wrapper to mimic basic scp.

Generally I do prefer to just use sshfs when I have it setup though, I even use it to read/transfer files from windows boxes running sshd/sftp (similar software exists for the other way around but I haven't tried it).

Edit: pscp (from putty) mentioned in the bug does seem to mimic scp pretty well if need be

[Ionen]

Well, it's back by default.

[pjp]

Maybe...

I tried to put together something that now works and passes the scp
testsuite (with both scp and sftp modes):

https://github.com/openssh/openssh-portable/pull/194

What does not work is the extended remote-to-remote through local,
which would require some more low-level protocol tweaks.

Most of the code is taken and adapted from the sftp.c . There are still
a few TODOs, but lets take it as a first iteration/proof of concept.

https://marc.info/?l=openssh-unix-dev&m ... 428508&w=4

[NeddySeagoon]

Don't count on scp staying.

Upstream don't like scp and I suspect IUSE=scp is only back long enough to get the publicity out.

Gentoo folks, this is your wakeup call.

I knew that quote would be useful one day :)

[halcon]

Please correct me if my thought process is wrong.

From Bugzilla:
Not having scp installed does nothing to alleviate the vulnerability.

From Write up for CVE id CVE-2020-15778:
Exploit scenarios.
Scenarios where ssh is blocked for user but scp allowed by command option in authorized_keys file. You can bypass this restriction and execute command on remote server.
SCP supports directory transfer with " -r " option. As linux allows backtick (`) in file name. attacker can create a payload in file name and when a victim is coping complete folder to remote server, payload in the file name will execute.

=>

So, exploiting this vulnerability becomes possible if:
(1) SCP program is installed on the attacker's computer (not necessarily victim's one), as it can evaluate backticks
and
(2) SCP is allowed in authorized_keys file on the victim's computer

?

EDIT: And a question after: does the USE flag -scp for ssh disable "allowing" scp via authorized_keys file? Or is it better to disallow backticks in filenames for ssh?

[Anon-E-moose]

Maybe...

I tried to put together something that now works and passes the scp
testsuite (with both scp and sftp modes):

https://github.com/openssh/openssh-portable/pull/194

What does not work is the extended remote-to-remote through local,
which would require some more low-level protocol tweaks.

Most of the code is taken and adapted from the sftp.c . There are still
a few TODOs, but lets take it as a first iteration/proof of concept.

https://marc.info/?l=openssh-unix-dev&m ... 428508&w=4

Next message in link

Code: Select all

I have had this in my .bashrc for years:

alias scp='rsync -avzP'

Which works for me, as I have rsyncd everywhere I copy to/from.

[pjp]

rsync isn't a solution for me. I've lost data from its misuse. I have not had that problem with scp. sftp does not appear to be a functional replacement, although that may be my lack of understanding how it should be used. The only solution I found was to use a here doc.

[Anon-E-moose]

Even if openssh were to remove scp from the tarball, I'm pretty sure someone will pull out the relevant parts to create an scp, it just won't be worked on by openssh upstream and whoever uses it needs to be aware it's not that secure.

Edit to add: even looking at the latest ebuild, scp gets built, whether the scp flag is set or not

Code: Select all

    # https://bugs.gentoo.org/733802
    if ! use scp; then
        rm "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
            || die "failed to remove scp"
    fi

[pjp]

That is partly why I referenced the mailing list post. The author has an RH email address, so there might be some backing to have an sftp based scp.