Improving the state of security for SCP is overdue. Like you've said, Jakub,
the code just hasn't been worked on in a long time, nor been well-maintained.
I am curious to better understand if the scp binary, as implemented, has
security-related issues of concern here (along with old code), or if the
protocol being used is the significant issue; or maybe a mixture of both.
At this point, almost any direction to improve scp is welcome and appreciated
by many. One challenge for adoption of the method you are proposing (and
working on), is that conflict between the easy/casual use of scp via
established channels where ssh is already accepted (keys, etc) versus those
environments (or set of systems) where an sftp server running is forbidden due
to security hardening requirements.
Security hardening is a scrupulous effort in many places. Reduce the attack
surface, is but one mantra. As others have pointed out, the ease with which to
quickly move some files will never go away, and in that regard, scp has been
'good enough' both from a functionality, as well as security-hardening,
perspectives.
Proposing/discussing how to approach the deprecation of scp-as-we-know-it-today
would help, too.
Thank you.
R,-Joe Wulf
On Monday, November 2, 2020, 10:54:59 AM EST, Jakub Jelen
<jje...@redhat.com> wrote:
On 11/2/20 4:36 PM, Kamil Dudka wrote:
> On Monday, November 2, 2020 3:44:39 PM CET Jakub Jelen wrote:
>> Hi Fedora users!
>>
>> Over the last years, there were several issues in the SCP protocol,
>> which lead us into discussions if we can get rid of it in upstream [1].
>> Most of the voices there said that they use SCP mostly for simple ad-hoc
>> copy and because sftp utility does not provide simple interface to copy
>> one or couple of files back and forth and because of people are just
>> used to write scp rather than sftp.
>>
>> Some months ago, I wrote a patch [2] for scp to use SFTP internally
>> (with possibility to change it back using -M scp) and ran it through
>> some successful testing. The general feedback from upstream was also
>> quite positive so I would like to hear also opinions from our users.
>>
>> It still has some limitations (missing -3 support, it will not work if
>> the server does not run sftp subsystem, ...), but it should be good
>> enough for most common use cases.
>>
>> Today, I set up a copr repository with the current openssh from Fedora +
>> the patch [2] for anyone to test and provide feedback, either here on
>> the mailing list, or in the github PR according to ones preferences.
>>
>> I am looking for any kind of feedback from the idea through the
>> usability, implementation. Is this something you would like to see in
>> Fedora soon? Do you have something against this? Is your use case missing?
>>
>> [1]
>> https://lists.mindrot.org/pipermail/openssh-unix-dev/2020-June/038594.html
>> [2] https://github.com/openssh/openssh-portable/pull/194/
>> [3] https://copr.fedorainfracloud.org/coprs/jjelen/openssh-sftp/
>
> How is the "compatibility scpd to support old clients" going to differ
> from the current implementation?
I can think of a solution that in the end, there will be just the server
parts of the current scp and the client code branches will be gone or
support sftp only. But this can change as we are not there yet.
> libcurl implements its own SCP client over libssh. Will this implementation
> continue to work after OpenSSH gets updated on servers?
With the above update, everything will work as before -- it affects only
the client scp binary.
> Applications often allow users to pass arbitrary URLs to libcurl. So one can,
> for example, use scp:// URLs to specify a kickstart for Anaconda. The fact
> that scp utility will be reimplemented over SFTP does not help much in this
> case. Each build of libcurl that supports scp:// supports sftp:// as well.
> But libcurl will not transmit scp:// requests over sftp:// in case SCP is not
> supported by the remote server any more.
As Simo wrote, I think it is something that will have to happen sooner
or later inside of libcurl or libssh or in users configurations. But
again, the above change should not have any effect on this.
Regards,
--
Jakub Jelen
Senior Software Engineer
Crypto Team, Security Engineering
Red Hat, Inc.
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
