scp removed?

saski4711 · Apprentice Joined: 24 Jun 2004 Posts: 199

Hello,

I've noticed that scp is no longer availble on my system. Has it been removed or replaced with recent package updates or is it just me?

Stuck by Neddyseagoon.
Its bound to cause a bit of an upset when users discover that scp is gone by default.

fedeliallalinea · Posted: Sun Jul 26, 2020 7:01 am Post subject:

You can active it with scp use flag see https://bugs.gentoo.org/733802
_________________
Questions are guaranteed in life; Answers aren't.

Ionen · Developer Joined: 06 Dec 2018 Posts: 2837

There's talk on gentoo-dev to put add some form of warning/news about this but those on ~testing may get the surprise if not paying attention to new USE flags meanwhile (hasn't reached stable yet).

Given upstream has no intention to fix this not to break scp's normal functionality, a opt-in USE=scp for awareness seem like a reasonable solution.

saski4711 · Apprentice Joined: 24 Jun 2004 Posts: 199

Thank you for the scoop. scp is back on my system!

fedeliallalinea · Posted: Sun Jul 26, 2020 8:46 am Post subject:

NeddySeagoon · Posted: Sun Jul 26, 2020 10:46 am Post subject:

scp has gone from testing by default and upstream want to phase it out.
Its only a matter of time until its dropped.

The writing is on the wall. Its time to find something else, like rsync over ssh.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

Ant P. · Watchman Joined: 18 Apr 2009 Posts: 6920

sftp still works fine. net-fs/sshfs uses it, if you're too lazy to learn the syntax.

cboldt · Veteran Joined: 24 Aug 2005 Posts: 1046

sftp appears to use the same syntax as scp - at least it works the same here for the occasional one or few file transfers.

For those wondering where the USE flag applies, scp and sftp are both provided by net-misc/openssh

Ionen · Developer Joined: 06 Dec 2018 Posts: 2837

^ same'ish syntax only works for downloads as far as I know, for uploads you'd need a wrapper to mimic basic scp.

Generally I do prefer to just use sshfs when I have it setup though, I even use it to read/transfer files from windows boxes running sshd/sftp (similar software exists for the other way around but I haven't tried it).

Edit: pscp (from putty) mentioned in the bug does seem to mimic scp pretty well if need be

Ionen · Developer Joined: 06 Dec 2018 Posts: 2837

Well, it's back by default.

pjp · Administrator Joined: 16 Apr 2002 Posts: 20476

Maybe...

NeddySeagoon · Posted: Tue Jul 28, 2020 7:40 am Post subject:

Don't count on scp staying.

Upstream don't like scp and I suspect IUSE=scp is only back long enough to get the publicity out.

halcon · l33t Joined: 15 Dec 2019 Posts: 649

Please correct me if my thought process is wrong.

From Bugzilla:
Not having scp installed does nothing to alleviate the vulnerability.

From Write up for CVE id CVE-2020-15778:
Exploit scenarios.
Scenarios where ssh is blocked for user but scp allowed by command option in authorized_keys file. You can bypass this restriction and execute command on remote server.
SCP supports directory transfer with " -r " option. As linux allows backtick (`) in file name. attacker can create a payload in file name and when a victim is coping complete folder to remote server, payload in the file name will execute.

=>

So, exploiting this vulnerability becomes possible if:
(1) SCP program is installed on the attacker's computer (not necessarily victim's one), as it can evaluate backticks
and
(2) SCP is allowed in authorized_keys file on the victim's computer

?

EDIT: And a question after: does the USE flag -scp for ssh disable "allowing" scp via authorized_keys file? Or is it better to disallow backticks in filenames for ssh?

Anon-E-moose · Posted: Tue Jul 28, 2020 2:22 pm Post subject:

pjp · Administrator Joined: 16 Apr 2002 Posts: 20476

rsync isn't a solution for me. I've lost data from its misuse. I have not had that problem with scp. sftp does not appear to be a functional replacement, although that may be my lack of understanding how it should be used. The only solution I found was to use a here doc.
_________________
Quis separabit? Quo animo?

Anon-E-moose · Posted: Tue Jul 28, 2020 3:55 pm Post subject:

Even if openssh were to remove scp from the tarball, I'm pretty sure someone will pull out the relevant parts to create an scp, it just won't be worked on by openssh upstream and whoever uses it needs to be aware it's not that secure.

Edit to add: even looking at the latest ebuild, scp gets built, whether the scp flag is set or not

pjp · Administrator Joined: 16 Apr 2002 Posts: 20476

That is partly why I referenced the mailing list post. The author has an RH email address, so there might be some backing to have an sftp based scp.
_________________
Quis separabit? Quo animo?