Disabling SCP protocol as much as possible
Resolves: rhbz#2001002
This commit is contained in:
parent
f9e5ded9dd
commit
f32839a5e4
46
openssh-8.7p1-scp-kill-switch.patch
Normal file
46
openssh-8.7p1-scp-kill-switch.patch
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
diff -up openssh-8.7p1/pathnames.h.kill-scp openssh-8.7p1/pathnames.h
|
||||||
|
--- openssh-8.7p1/pathnames.h.kill-scp 2021-09-16 11:37:57.240171687 +0200
|
||||||
|
+++ openssh-8.7p1/pathnames.h 2021-09-16 11:42:29.183427917 +0200
|
||||||
|
@@ -42,6 +42,7 @@
|
||||||
|
#define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key"
|
||||||
|
#define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key"
|
||||||
|
#define _PATH_DH_MODULI SSHDIR "/moduli"
|
||||||
|
+#define _PATH_SCP_KILL_SWITCH SSHDIR "/disable_scp"
|
||||||
|
|
||||||
|
#ifndef _PATH_SSH_PROGRAM
|
||||||
|
#define _PATH_SSH_PROGRAM "/usr/bin/ssh"
|
||||||
|
diff -up openssh-8.7p1/scp.1.kill-scp openssh-8.7p1/scp.1
|
||||||
|
--- openssh-8.7p1/scp.1.kill-scp 2021-09-16 12:09:02.646714578 +0200
|
||||||
|
+++ openssh-8.7p1/scp.1 2021-09-16 12:26:49.978628226 +0200
|
||||||
|
@@ -278,6 +278,13 @@ to print debugging messages about their
|
||||||
|
This is helpful in
|
||||||
|
debugging connection, authentication, and configuration problems.
|
||||||
|
.El
|
||||||
|
+.Pp
|
||||||
|
+Usage of SCP protocol can be blocked by creating a world-readable
|
||||||
|
+.Ar /etc/ssh/disable_scp
|
||||||
|
+file. If this file exists, when SCP protocol is in use (either remotely or
|
||||||
|
+via the
|
||||||
|
+.Fl O
|
||||||
|
+option), the program will exit.
|
||||||
|
.Sh EXIT STATUS
|
||||||
|
.Ex -std scp
|
||||||
|
.Sh SEE ALSO
|
||||||
|
diff -up openssh-8.7p1/scp.c.kill-scp openssh-8.7p1/scp.c
|
||||||
|
--- openssh-8.7p1/scp.c.kill-scp 2021-09-16 11:42:56.013650519 +0200
|
||||||
|
+++ openssh-8.7p1/scp.c 2021-09-16 11:53:03.249713836 +0200
|
||||||
|
@@ -596,6 +596,14 @@ main(int argc, char **argv)
|
||||||
|
if (iamremote)
|
||||||
|
mode = MODE_SCP;
|
||||||
|
|
||||||
|
+ if (mode == MODE_SCP) {
|
||||||
|
+ FILE *f = fopen(_PATH_SCP_KILL_SWITCH, "r");
|
||||||
|
+ if (f != NULL) {
|
||||||
|
+ fclose(f);
|
||||||
|
+ fatal("SCP protocol is forbidden via %s", _PATH_SCP_KILL_SWITCH);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if ((pwd = getpwuid(userid = getuid())) == NULL)
|
||||||
|
fatal("unknown user %u", (u_int) userid);
|
||||||
|
|
129
openssh-8.7p1-sftp-default-protocol.patch
Normal file
129
openssh-8.7p1-sftp-default-protocol.patch
Normal file
@ -0,0 +1,129 @@
|
|||||||
|
diff --git a/scp.1 b/scp.1
|
||||||
|
index 68aac04b..a96e95ad 100644
|
||||||
|
--- a/scp.1
|
||||||
|
+++ b/scp.1
|
||||||
|
@@ -8,9 +8,9 @@
|
||||||
|
.\"
|
||||||
|
.\" Created: Sun May 7 00:14:37 1995 ylo
|
||||||
|
.\"
|
||||||
|
-.\" $OpenBSD: scp.1,v 1.100 2021/08/11 14:07:54 naddy Exp $
|
||||||
|
+.\" $OpenBSD: scp.1,v 1.101 2021/09/08 23:31:39 djm Exp $
|
||||||
|
.\"
|
||||||
|
-.Dd $Mdocdate: August 11 2021 $
|
||||||
|
+.Dd $Mdocdate: September 8 2021 $
|
||||||
|
.Dt SCP 1
|
||||||
|
.Os
|
||||||
|
.Sh NAME
|
||||||
|
@@ -18,7 +18,7 @@
|
||||||
|
.Nd OpenSSH secure file copy
|
||||||
|
.Sh SYNOPSIS
|
||||||
|
.Nm scp
|
||||||
|
-.Op Fl 346ABCOpqRrsTv
|
||||||
|
+.Op Fl 346ABCOpqRrTv
|
||||||
|
.Op Fl c Ar cipher
|
||||||
|
.Op Fl D Ar sftp_server_path
|
||||||
|
.Op Fl F Ar ssh_config
|
||||||
|
@@ -37,9 +37,6 @@ It uses
|
||||||
|
.Xr ssh 1
|
||||||
|
for data transfer, and uses the same authentication and provides the
|
||||||
|
same security as a login session.
|
||||||
|
-The scp protocol requires execution of the remote user's shell to perform
|
||||||
|
-.Xr glob 3
|
||||||
|
-pattern matching.
|
||||||
|
.Pp
|
||||||
|
.Nm
|
||||||
|
will ask for passwords or passphrases if they are needed for
|
||||||
|
@@ -79,7 +76,9 @@ The options are as follows:
|
||||||
|
Copies between two remote hosts are transferred through the local host.
|
||||||
|
Without this option the data is copied directly between the two remote
|
||||||
|
hosts.
|
||||||
|
-Note that, when using the legacy SCP protocol (the default), this option
|
||||||
|
+Note that, when using the legacy SCP protocol (via the
|
||||||
|
+.Fl O
|
||||||
|
+flag), this option
|
||||||
|
selects batch mode for the second host as
|
||||||
|
.Nm
|
||||||
|
cannot ask for passwords or passphrases for both hosts.
|
||||||
|
@@ -146,9 +145,10 @@ Limits the used bandwidth, specified in Kbit/s.
|
||||||
|
.It Fl O
|
||||||
|
Use the legacy SCP protocol for file transfers instead of the SFTP protocol.
|
||||||
|
Forcing the use of the SCP protocol may be necessary for servers that do
|
||||||
|
-not implement SFTP or for backwards-compatibility for particular filename
|
||||||
|
-wildcard patterns.
|
||||||
|
-This mode is the default.
|
||||||
|
+not implement SFTP, for backwards-compatibility for particular filename
|
||||||
|
+wildcard patterns and for expanding paths with a
|
||||||
|
+.Sq ~
|
||||||
|
+prefix for older SFTP servers.
|
||||||
|
.It Fl o Ar ssh_option
|
||||||
|
Can be used to pass options to
|
||||||
|
.Nm ssh
|
||||||
|
@@ -258,16 +258,6 @@ to use for the encrypted connection.
|
||||||
|
The program must understand
|
||||||
|
.Xr ssh 1
|
||||||
|
options.
|
||||||
|
-.It Fl s
|
||||||
|
-Use the SFTP protocol for file transfers instead of the legacy SCP protocol.
|
||||||
|
-Using SFTP avoids invoking a shell on the remote side and provides
|
||||||
|
-more predictable filename handling, as the SCP protocol
|
||||||
|
-relied on the remote shell for expanding
|
||||||
|
-.Xr glob 3
|
||||||
|
-wildcards.
|
||||||
|
-.Pp
|
||||||
|
-A near-future release of OpenSSH will make the SFTP protocol the default.
|
||||||
|
-This option will be deleted before the end of 2022.
|
||||||
|
.It Fl T
|
||||||
|
Disable strict filename checking.
|
||||||
|
By default when copying files from a remote host to a local directory
|
||||||
|
@@ -299,11 +289,23 @@ debugging connection, authentication, and configuration problems.
|
||||||
|
.Xr ssh_config 5 ,
|
||||||
|
.Xr sftp-server 8 ,
|
||||||
|
.Xr sshd 8
|
||||||
|
+.Sh CAVEATS
|
||||||
|
+The original scp protocol (selected by the
|
||||||
|
+.Fl O
|
||||||
|
+flag) requires execution of the remote user's shell to perform
|
||||||
|
+.Xr glob 3
|
||||||
|
+pattern matching.
|
||||||
|
+This requires careful quoting of any characters that have special meaning to
|
||||||
|
+the remote shell, such as quote characters.
|
||||||
|
.Sh HISTORY
|
||||||
|
.Nm
|
||||||
|
is based on the rcp program in
|
||||||
|
.Bx
|
||||||
|
source code from the Regents of the University of California.
|
||||||
|
+.Pp
|
||||||
|
+Since OpenSSH 8.8 (8.7 in Red Hat/Fedora builds),
|
||||||
|
+.Nm
|
||||||
|
+has use the SFTP protocol for transfers by default.
|
||||||
|
.Sh AUTHORS
|
||||||
|
.An Timo Rinne Aq Mt tri@iki.fi
|
||||||
|
.An Tatu Ylonen Aq Mt ylo@cs.hut.fi
|
||||||
|
diff --git a/scp.c b/scp.c
|
||||||
|
index e039350c..c7cf7529 100644
|
||||||
|
--- a/scp.c
|
||||||
|
+++ b/scp.c
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-/* $OpenBSD: scp.c,v 1.232 2021/08/11 14:07:54 naddy Exp $ */
|
||||||
|
+/* $OpenBSD: scp.c,v 1.233 2021/09/08 23:31:39 djm Exp $ */
|
||||||
|
/*
|
||||||
|
* scp - secure remote copy. This is basically patched BSD rcp which
|
||||||
|
* uses ssh to do the data transfer (instead of using rcmd).
|
||||||
|
@@ -448,7 +448,7 @@ main(int argc, char **argv)
|
||||||
|
const char *errstr;
|
||||||
|
extern char *optarg;
|
||||||
|
extern int optind;
|
||||||
|
- enum scp_mode_e mode = MODE_SCP;
|
||||||
|
+ enum scp_mode_e mode = MODE_SFTP;
|
||||||
|
char *sftp_direct = NULL;
|
||||||
|
|
||||||
|
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
|
||||||
|
@@ -1983,7 +1983,7 @@ void
|
||||||
|
usage(void)
|
||||||
|
{
|
||||||
|
(void) fprintf(stderr,
|
||||||
|
- "usage: scp [-346ABCOpqRrsTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n"
|
||||||
|
+ "usage: scp [-346ABCOpqRrTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n"
|
||||||
|
" [-i identity_file] [-J destination] [-l limit]\n"
|
||||||
|
" [-o ssh_option] [-P port] [-S program] source ... target\n");
|
||||||
|
exit(1);
|
11
openssh.spec
11
openssh.spec
@ -193,6 +193,10 @@ Patch966: openssh-8.2p1-x11-without-ipv6.patch
|
|||||||
Patch974: openssh-8.0p1-keygen-strip-doseol.patch
|
Patch974: openssh-8.0p1-keygen-strip-doseol.patch
|
||||||
# sshd provides PAM an incorrect error code (#1879503)
|
# sshd provides PAM an incorrect error code (#1879503)
|
||||||
Patch975: openssh-8.0p1-preserve-pam-errors.patch
|
Patch975: openssh-8.0p1-preserve-pam-errors.patch
|
||||||
|
# Use SFTP protocol by default for scp command
|
||||||
|
Patch976: openssh-8.7p1-sftp-default-protocol.patch
|
||||||
|
# Implement kill switch for SCP protocol
|
||||||
|
Patch977: openssh-8.7p1-scp-kill-switch.patch
|
||||||
|
|
||||||
License: BSD
|
License: BSD
|
||||||
Requires: /sbin/nologin
|
Requires: /sbin/nologin
|
||||||
@ -368,6 +372,8 @@ popd
|
|||||||
%patch966 -p1 -b .x11-ipv6
|
%patch966 -p1 -b .x11-ipv6
|
||||||
%patch974 -p1 -b .keygen-strip-doseol
|
%patch974 -p1 -b .keygen-strip-doseol
|
||||||
%patch975 -p1 -b .preserve-pam-errors
|
%patch975 -p1 -b .preserve-pam-errors
|
||||||
|
%patch976 -p1 -b .sftp-by-default
|
||||||
|
%patch977 -p1 -b .kill-scp
|
||||||
|
|
||||||
%patch200 -p1 -b .audit
|
%patch200 -p1 -b .audit
|
||||||
%patch201 -p1 -b .audit-race
|
%patch201 -p1 -b .audit-race
|
||||||
@ -653,7 +659,10 @@ test -f %{sysconfig_anaconda} && \
|
|||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Fri Sep 24 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-1 + 0.10.4-4
|
* Fri Sep 24 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-1 + 0.10.4-4
|
||||||
- New upstream release (#2001002)
|
- New upstream release
|
||||||
|
- Switch to SFTP protocol in scp utility by default
|
||||||
|
- Enable SCP protocol kill switch
|
||||||
|
Related: rhbz#2001002
|
||||||
|
|
||||||
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 8.6p1-7.1
|
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 8.6p1-7.1
|
||||||
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
|
||||||
|
Loading…
Reference in New Issue
Block a user