Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
scp removed?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
saski4711
Apprentice
Apprentice


Joined: 24 Jun 2004
Posts: 199

PostPosted: Sun Jul 26, 2020 6:48 am    Post subject: scp removed? Reply with quote

Hello,

I've noticed that scp is no longer availble on my system. Has it been removed or replaced with recent package updates or is it just me?

Stuck by Neddyseagoon.
Its bound to cause a bit of an upset when users discover that scp is gone by default.
Back to top
View user's profile Send private message
fedeliallalinea
Administrator
Administrator


Joined: 08 Mar 2003
Posts: 31255
Location: here

PostPosted: Sun Jul 26, 2020 7:01 am    Post subject: Reply with quote

You can active it with scp use flag see https://bugs.gentoo.org/733802
_________________
Questions are guaranteed in life; Answers aren't.
Back to top
View user's profile Send private message
Ionen
Developer
Developer


Joined: 06 Dec 2018
Posts: 2837

PostPosted: Sun Jul 26, 2020 7:24 am    Post subject: Reply with quote

There's talk on gentoo-dev to put add some form of warning/news about this but those on ~testing may get the surprise if not paying attention to new USE flags meanwhile (hasn't reached stable yet).

Given upstream has no intention to fix this not to break scp's normal functionality, a opt-in USE=scp for awareness seem like a reasonable solution.
Back to top
View user's profile Send private message
saski4711
Apprentice
Apprentice


Joined: 24 Jun 2004
Posts: 199

PostPosted: Sun Jul 26, 2020 8:01 am    Post subject: Reply with quote

Thank you for the scoop. scp is back on my system! :D
Back to top
View user's profile Send private message
fedeliallalinea
Administrator
Administrator


Joined: 08 Mar 2003
Posts: 31255
Location: here

PostPosted: Sun Jul 26, 2020 8:46 am    Post subject: Reply with quote

Ionen wrote:
There's talk on gentoo-dev to put add some form of warning/news about this but those

For info https://archives.gentoo.org/gentoo-dev/message/8603334747a6209b50f9097d0679b8a6
_________________
Questions are guaranteed in life; Answers aren't.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54572
Location: 56N 3W

PostPosted: Sun Jul 26, 2020 10:46 am    Post subject: Reply with quote

scp has gone from testing by default and upstream want to phase it out.
Its only a matter of time until its dropped.

The writing is on the wall. Its time to find something else, like rsync over ssh.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6920

PostPosted: Sun Jul 26, 2020 10:49 am    Post subject: Reply with quote

sftp still works fine. net-fs/sshfs uses it, if you're too lazy to learn the syntax.
Back to top
View user's profile Send private message
cboldt
Veteran
Veteran


Joined: 24 Aug 2005
Posts: 1046

PostPosted: Sun Jul 26, 2020 12:19 pm    Post subject: Reply with quote

sftp appears to use the same syntax as scp - at least it works the same here for the occasional one or few file transfers.

For those wondering where the USE flag applies, scp and sftp are both provided by net-misc/openssh
Back to top
View user's profile Send private message
Ionen
Developer
Developer


Joined: 06 Dec 2018
Posts: 2837

PostPosted: Sun Jul 26, 2020 12:22 pm    Post subject: Reply with quote

^ same'ish syntax only works for downloads as far as I know, for uploads you'd need a wrapper to mimic basic scp.

Generally I do prefer to just use sshfs when I have it setup though, I even use it to read/transfer files from windows boxes running sshd/sftp (similar software exists for the other way around but I haven't tried it).

Edit: pscp (from putty) mentioned in the bug does seem to mimic scp pretty well if need be
Back to top
View user's profile Send private message
Ionen
Developer
Developer


Joined: 06 Dec 2018
Posts: 2837

PostPosted: Tue Jul 28, 2020 4:38 am    Post subject: Reply with quote

Well, it's back by default.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20476

PostPosted: Tue Jul 28, 2020 6:32 am    Post subject: Reply with quote

Maybe...

Quote:
I tried to put together something that now works and passes the scp
testsuite (with both scp and sftp modes):

https://github.com/openssh/openssh-portable/pull/194

What does not work is the extended remote-to-remote through local,
which would require some more low-level protocol tweaks.

Most of the code is taken and adapted from the sftp.c . There are still
a few TODOs, but lets take it as a first iteration/proof of concept.
https://marc.info/?l=openssh-unix-dev&m=159481501428508&w=4
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54572
Location: 56N 3W

PostPosted: Tue Jul 28, 2020 7:40 am    Post subject: Reply with quote

Don't count on scp staying.

Upstream don't like scp and I suspect IUSE=scp is only back long enough to get the publicity out.
Lennart Poettering wrote:
Gentoo folks, this is your wakeup call.


I knew that quote would be useful one day :)
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
halcon
l33t
l33t


Joined: 15 Dec 2019
Posts: 649

PostPosted: Tue Jul 28, 2020 1:38 pm    Post subject: Reply with quote

Please correct me if my thought process is wrong.

From Bugzilla:
Not having scp installed does nothing to alleviate the vulnerability.

From Write up for CVE id CVE-2020-15778:
Exploit scenarios.
Scenarios where ssh is blocked for user but scp allowed by command option in authorized_keys file. You can bypass this restriction and execute command on remote server.
SCP supports directory transfer with " -r " option. As linux allows backtick (`) in file name. attacker can create a payload in file name and when a victim is coping complete folder to remote server, payload in the file name will execute.

=>

So, exploiting this vulnerability becomes possible if:
(1) SCP program is installed on the attacker's computer (not necessarily victim's one), as it can evaluate backticks
and
(2) SCP is allowed in authorized_keys file on the victim's computer

?

EDIT: And a question after: does the USE flag -scp for ssh disable "allowing" scp via authorized_keys file? Or is it better to disallow backticks in filenames for ssh?


Last edited by halcon on Tue Jul 28, 2020 3:24 pm; edited 2 times in total
Back to top
View user's profile Send private message
Anon-E-moose
Watchman
Watchman


Joined: 23 May 2008
Posts: 6145
Location: Dallas area

PostPosted: Tue Jul 28, 2020 2:22 pm    Post subject: Reply with quote

pjp wrote:
Maybe...

Quote:
I tried to put together something that now works and passes the scp
testsuite (with both scp and sftp modes):

https://github.com/openssh/openssh-portable/pull/194

What does not work is the extended remote-to-remote through local,
which would require some more low-level protocol tweaks.

Most of the code is taken and adapted from the sftp.c . There are still
a few TODOs, but lets take it as a first iteration/proof of concept.
https://marc.info/?l=openssh-unix-dev&m=159481501428508&w=4


Next message in link
Code:
I have had this in my .bashrc for years:

alias scp='rsync -avzP'


Which works for me, as I have rsyncd everywhere I copy to/from.
_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20476

PostPosted: Tue Jul 28, 2020 3:37 pm    Post subject: Reply with quote

rsync isn't a solution for me. I've lost data from its misuse. I have not had that problem with scp. sftp does not appear to be a functional replacement, although that may be my lack of understanding how it should be used. The only solution I found was to use a here doc.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
Anon-E-moose
Watchman
Watchman


Joined: 23 May 2008
Posts: 6145
Location: Dallas area

PostPosted: Tue Jul 28, 2020 3:55 pm    Post subject: Reply with quote

Even if openssh were to remove scp from the tarball, I'm pretty sure someone will pull out the relevant parts to create an scp, it just won't be worked on by openssh upstream and whoever uses it needs to be aware it's not that secure.

Edit to add: even looking at the latest ebuild, scp gets built, whether the scp flag is set or not
Code:
    # https://bugs.gentoo.org/733802
    if ! use scp; then
        rm "${ED}"/usr/{bin/scp,share/man/man1/scp.1} \
            || die "failed to remove scp"
    fi

_________________
PRIME x570-pro, 3700x, 6.1 zen kernel
gcc 13, profile 17.0 (custom bare multilib), openrc, wayland
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20476

PostPosted: Tue Jul 28, 2020 4:51 pm    Post subject: Reply with quote

That is partly why I referenced the mailing list post. The author has an RH email address, so there might be some backing to have an sftp based scp.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum