Deprecating scp

Welcome to LWN.acquire

The next subscription-handiest negate has been made on hand to you
by an LWN subscriber. Thousands of subscribers depend upon LWN for the
handiest info from the Linux and free diagram communities. While you revel on this
article, please have in thoughts accepting the trial provide on the upright. Thank you
for visiting LWN.acquire!

Free trial subscription

Are trying LWN without spending a dime for 1 month: no price
or credit card required. Set off
your trial subscription now
and peep why hundreds of
readers subscribe to LWN.acquire.

By Jonathan Corbet
November 5, 2020



say, which makes use of the SSH protocol to
replica info between
machines, is deeply wired into the fingers of many Linux users and
developers — doubly so for these of us who quiet specialize in of it as a extra
proper replacement for


. Many users might perhaps well even be significantly surprised to study,
even supposing, that the resemblance to


goes beyond the name; much of
the underlying protocol is the connected to effectively. That protocol is showing its
age, and the OpenSSH neighborhood has
even handed it deprecated for a whereas.


in a contrivance that keeps users cheerful is perhaps no longer a straightforward
project, even supposing.

scp, admire rcp sooner than it, used to be designed to see as much
admire the strange cp say as doable. It has a somewhat
easy, scriptable say-line interface that makes recursive and
multi-file copies easy. It makes use of the SSH authentication mechanisms when
connecting between machines and encrypts info in flight, so it is always
even handed as being proper. It turns out, even supposing, that in some situations,
notably these the assign
there might perhaps be exiguous or no belief between the two ends of the connection, the
staunch level of security might perhaps well even be lower than anticipated.

Deem, for instance, the OpenSSH 8.0
release, which included a fix for the vulnerability identified as CVE-2019-6111.
In the scp protocol, the aspect containing the file(s) to be copied
supplies the name(s) to the receiving aspect. So one might perhaps well well form a say

    $ scp admin:boring-spreadsheet.ods .

with the expectation of getting a file called
boring-spreadsheet.ods within the present working itemizing. If the
far away server had been to present a response admire “here is the
.bashrc file you asked for”, even supposing, scp would
fortunately overwrite that file as an alternative. The 8.0 release fastened this narrate by
comparing the file name from the far away aspect with what used to be in actuality asked
for, however the release announcement also acknowledged that the scp protocol is
old-customary, rigid and no longer readily fastened” and beneficial
migrating far off from scp.

is a numerous account. Endure in thoughts that scp is constructed on SSH, so when
one kinds a say admire:

    $ scp election-predictions.txt dumpster:junk/

the result will likely be an SSH connection to dumpster operating this

    scp -t junk/

That say, the utilization of the undocumented -t contrivance to specify a
destination (“to”) itemizing, will then take care of requests to transfer info
into junk.
This mechanism leaves the door initiating for numerous kinds of tantalizing
mischief. Are trying operating one thing admire this:

    $ scp some-native-file far away:'`touch you-lose`far away-file'

This would perhaps per chance well result within the advent of two info on the far away diagram:
the anticipated far away-file and an empty file called
you-lose. Including extra attention-grabbing contents to that file is left
as an say for the reader.

Whether this behavior constitutes a vulnerability is partly within the gape of
the beholder. If the person has strange SSH entry to the far away diagram,
smuggling commands thru scp is correct a extra tough solution to attain things that
are already doable. Evidently, even supposing, it is no longer unheard-of for sites to
provide scp-handiest entry, permitting users to replica info however no longer to
discontinue arbitrary commands on the target diagram. For systems with that
invent of policy, this behavior is indeed a vulnerability. At final, whereas
the likelihood is much away, it is rate noting that a local file name containing
`backticks` (a file named `touch you-lose`, for instance)
will likely be dealt with the the same contrivance on the different pause; if a person will even be cheerful
to form a recursive replica of a itemizing tree containing a file with a
malicious name, unfriendly things can happen.

Unlike CVE-2019-6111, this narrate has no longer been addressed by the OpenSSH
developers. As quoted within the disclosure linked above, their response is:

The scp say is a historical protocol (called rcp) which depends
upon that form of argument passing and encounters growth
complications. It has confirmed very refined to add “security” to the scp
mannequin. All makes an strive to “detect” and “quit” anomalous argument
transfers stand a immense likelihood of breaking existing workflows. Yes,
we admire it the scenario sucks. However we manufacture no longer have to ruin the
easy patterns other folks use scp for, till there might perhaps be a customary

On condition that, the next count on comes naturally: what have to substitute the
deprecated scp say? The identical old reply to that count on is
both sftp or rsync.

The sftp say has essentially the most attention-grabbing thing about being a segment of the OpenSSH
bundle and, thus, on hand in most locations that scp will even be
stumbled on. Its downside is a much much less pleasurable person ride,
notably in cases the assign one simply wants to form a say and peep info
pass. A straightforward say admire:

    $ sftp far away:

will no longer work as anticipated. Some makes use of require coming into an “interactive
mode” that’s acquainted to those of us traditional adequate to acquire once traditional FTP for
file transfers; we’re also traditional adequate to be aware why we switched from FTP to
commands admire rcp and scp as soon as they grew to develop into
on hand.

rsync is a nice different that has essentially the most attention-grabbing thing about
performing higher than scp, which is rarely any longer notably hastily. However
rsync is no longer any longer as universally on hand as the SSH suite of
commands; its GPLv3 licensing might perhaps well be a deterrent to obvious lessons of
users. Even when it is on hand, rsync customarily feels extra admire the
vitality tool that’s brought out for tidy jobs; scp is the Swiss
Navy knife that’s readily at hand and upright adequate as a rule.

Then, there might perhaps be the easy matter that scp is ingrained so deeply
into the muscle memory of so many users. As with other deprecated commands
(ifconfig, roar), it might perhaps per chance even be exhausting to ticket the switch.

For all of these reasons, it might perhaps per chance well be fine to acquire a model of
scp that would no longer suffer from the present say’s complications. As
it turns out, Jakub Jelen is engaged on this form of
; it is an
scp say
that makes use of the sftp protocol below the
hood. At this level, it is acknowledged to work for most classic utilization eventualities;
some alternate solutions (much like -3, which copies info between two far away
hosts by the use of the native machine) are no longer supported. “Aspects” admire

Read More

Similar Products:

Recent Content