bugzilla-daemon at bugzilla.mindrot.org
2010-Nov-09 21:20 UTC
[Bug 1837] New: scp fails key auth/connection on second host when two remote paths are specified
https://bugzilla.mindrot.org/show_bug.cgi?id=1837
Summary: scp fails key auth/connection on second host when two
remote paths are specified
Product: Portable OpenSSH
Version: 5.3p1
Platform: All
OS/Version: All
Status: NEW
Severity: minor
Priority: P4
Component: scp
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: petiepooo at yahoo.com
When issuing a command such as
scp host1:file host2:.
I observed public key authentication succeeding on host1, but failing
on host2. It was through digging into the verbose output that I
discovered that commands formatted as such are essentially equivalent
to
ssh host1 scp file1 host2:.
with the additional constraint that agent forwarding is explicitly
disabled through a -o option.
My expectation was that it would be more equivalent to
ssh host1 tar cf - file1 | ssh host2 tar xf -
or using scp syntax, something like
ssh -x -t host1 scp -f file1 | ssh -x -t host2 scp -t .
but I was unable to get that particular syntax to work.
The reasons for this expectation are:
1. agent forwarding: I may not trust host1, so don't want to forward my
agent onto that host, but still may need it for access to host2.
2. accessible networks: I may not be able to reach host2 from host1,
but can reach both hosts from the localhost I'm running scp on.
3. DNS resolution: host2 may resolve to different IPs on the localhost
versus on host1. That difference would not be obvious to the user
without close examination of the verbose output.
4. Obvious test: "scp host1:file ." and "scp file host2:."
both work,
but combining them into a single command does something completely
unexpected, and breaks.
I realize that, under the behavior I expected, the localhost running
scp would act simply as a conduit for two remote connections, which may
be perceived as wasting bandwidth on that host, but that behavior is
precisely what I needed, and is how I expected it to act based simply
on the format of the command. If I had wanted to transfer directly
from host1 to host2, I would have run it's sensible equivalent of
ssh host1 scp file1 host2:.
The bug summary is a little misleading, as it doesn't describe my
expectations as explained above, but it does show the symptom that led
to me filing this bug report. My hope is that it will make searching
for the symptom easier for confused end users such as me. Feel free to
change if you find a better way of summarizing this.
The tar solution allows me to work around this, so I wouldn't consider
this a severe issue. Documenting this format more completely may be
sufficient, but as it is, there is no solution I know of using only
ssh/scp equivalent to what the tar solution gives me. If most people
are like me, they wouldn't think using two remote paths would form a
chain from localhost to host1 then to host2; they would assume the path
is from host1 through localhost to host2.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Nov-22 09:20 UTC
[Bug 1837] scp fails key auth/connection on second host when two remote paths are specified
https://bugzilla.mindrot.org/show_bug.cgi?id=1837
Nadav Har'El <nyh at math.technion.ac.il> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |nyh at math.technion.ac.il
--- Comment #1 from Nadav Har'El <nyh at math.technion.ac.il>
2010-11-22 20:20:59 EST ---
I agree that the current behavior when two remote hosts are specified
is unexpected, illogical, and should be considered a bug.
The "scp" manual page says that "Copies between two remote hosts
are
also permitted.". This is not quite the case - and if the current
behavior remains (and I think it shouldn't...), it should at least be
explained.
The reason I think the current behavior is NOT useful, is that on
today's internet, security is rarely symmetrical: The fact that host A
can ssh to host B and to host C, doesn't mean that B and C can ssh back
to A, or ssh between themselves. So when I do on host A 'scp B:...
C:...', I certainly don't expect B and C to communicate directly - if I
wanted to do that I would have written "ssh B -c scp ... C:". When I
go
and run 'scp B:... C:...' on A, I fully expect all the data to pass
through A.
scp B:... C:... could have been very useful when I want to transfer a
large remote file between B and C, without keeping a copy on A and when
B and C cannot communicate directly (because of routing or
authentication issues).
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Nov-23 23:58 UTC
[Bug 1837] scp fails key auth/connection on second host when two remote paths are specified
https://bugzilla.mindrot.org/show_bug.cgi?id=1837 --- Comment #2 from Darren Tucker <dtucker at zip.com.au> 2010-11-24 10:58:32 EST --- Created attachment 1963 --> https://bugzilla.mindrot.org/attachment.cgi?id=1963 openssh-scp-remotetoremote.patch Only set ForwardAgent=no for local-to-remote and remote-to-local cases. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Nov-24 01:03 UTC
[Bug 1837] scp fails key auth/connection on second host when two remote paths are specified
https://bugzilla.mindrot.org/show_bug.cgi?id=1837
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1963|0 |1
is obsolete| |
--- Comment #3 from Darren Tucker <dtucker at zip.com.au> 2010-11-24
12:03:53 EST ---
Comment on attachment 1963
--> https://bugzilla.mindrot.org/attachment.cgi?id=1963
openssh-scp-remotetoremote.patch
Ignore that patch, it's rubbish. On further investigation there's some
more work required. In the mean time if you want a workaround, try
adding:
Host yourhost
ForwardAgent yes
to your ~/.ssh/config file and see if that helps
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Nov-24 01:19 UTC
[Bug 1837] scp fails key auth/connection on second host when two remote paths are specified
https://bugzilla.mindrot.org/show_bug.cgi?id=1837 --- Comment #4 from Damien Miller <djm at mindrot.org> 2010-11-24 12:19:47 EST --- Created attachment 1966 --> https://bugzilla.mindrot.org/attachment.cgi?id=1966 /home/djm/scp-propagate-opts.diff propogate commandline options on remote-remote copies -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Nov-24 01:21 UTC
[Bug 1837] scp fails key auth/connection on second host when two remote paths are specified
https://bugzilla.mindrot.org/show_bug.cgi?id=1837
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #5 from Damien Miller <djm at mindrot.org> 2010-11-24 12:21:53
EST ---
Yes, we agree that this behaviour is stupid. Unfortunately, scp just
rcp, which is 27 years old and is widely understood to behave exactly
as it does. If we change it then we will break users' expectations and
scripts.
We aren't really interested in extending scp either. It implements no
backwards compatibility mechanisms and the code is unpleasant to work
on.
That being said, the current behaviour of scp is broken in that it
doesn't propagate options from the commandline to the ssh command used
to invoke the remote-remote copy. This stops a user from manually
specifying that they want to forward their agent on the commandline
(doing it in the config file already works ok).
The patch I just attached fixes this.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Nov-24 01:22 UTC
[Bug 1837] scp fails key auth/connection on second host when two remote paths are specified
https://bugzilla.mindrot.org/show_bug.cgi?id=1837
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1966| |ok?(dtucker at zip.com.au)
Flags| |
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Nov-24 01:22 UTC
[Bug 1837] scp fails key auth/connection on second host when two remote paths are specified
https://bugzilla.mindrot.org/show_bug.cgi?id=1837
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |1803
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Nov-24 03:18 UTC
[Bug 1837] scp fails key auth/connection on second host when two remote paths are specified
https://bugzilla.mindrot.org/show_bug.cgi?id=1837 --- Comment #6 from Darren Tucker <dtucker at zip.com.au> 2010-11-24 14:18:30 EST --- Comment on attachment 1966 --> https://bugzilla.mindrot.org/attachment.cgi?id=1966 /home/djm/scp-propagate-opts.diff>+ addargs(&remote_remote_args, "-oBatchmode yes"); > addargs(&args, "-oBatchmode yes");Is that going to work? I would expect it to get parsed as 2 args by the remote shell and broken into '-oBatchmode' and 'yes' then have ssh choke on a missing arg to BatchMode. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Nov-24 03:26 UTC
[Bug 1837] scp fails key auth/connection on second host when two remote paths are specified
https://bugzilla.mindrot.org/show_bug.cgi?id=1837
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
--- Comment #7 from Darren Tucker <dtucker at zip.com.au> 2010-11-24
14:26:54 EST ---
easy fix: s/ /=/
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Nov-25 20:36 UTC
[Bug 1837] scp fails key auth/connection on second host when two remote paths are specified
https://bugzilla.mindrot.org/show_bug.cgi?id=1837 --- Comment #8 from Damien Miller <djm at mindrot.org> 2010-11-26 07:36:54 EST --- Created attachment 1968 --> https://bugzilla.mindrot.org/attachment.cgi?id=1968 /home/djm/scp-propagate-opts.diff revised patch -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Nov-25 20:37 UTC
[Bug 1837] scp fails key auth/connection on second host when two remote paths are specified
https://bugzilla.mindrot.org/show_bug.cgi?id=1837
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1968| |ok?(dtucker at zip.com.au)
Flags| |
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Nov-25 20:37 UTC
[Bug 1837] scp fails key auth/connection on second host when two remote paths are specified
https://bugzilla.mindrot.org/show_bug.cgi?id=1837
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1966|0 |1
is obsolete| |
Attachment #1966|ok?(dtucker at zip.com.au) |
Flags| |
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Nov-26 04:39 UTC
[Bug 1837] scp fails key auth/connection on second host when two remote paths are specified
https://bugzilla.mindrot.org/show_bug.cgi?id=1837
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1968|ok?(dtucker at zip.com.au) |ok+
Flags| |
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Nov-26 06:00 UTC
[Bug 1837] scp fails key auth/connection on second host when two remote paths are specified
https://bugzilla.mindrot.org/show_bug.cgi?id=1837
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #9 from Damien Miller <djm at mindrot.org> 2010-11-26 17:00:12
EST ---
Patch applied, but as I mentioned we can't/won't make further
alterations to scp.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Nov-26 21:07 UTC
[Bug 1837] scp fails key auth/connection on second host when two remote paths are specified
https://bugzilla.mindrot.org/show_bug.cgi?id=1837
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|1803 |
Status|RESOLVED |REOPENED
Resolution|FIXED |
Severity|minor |enhancement
--- Comment #10 from Damien Miller <djm at mindrot.org> 2010-11-27
08:07:15 EST ---
Markus reminds me that we can open two connections (to source and
destination host) without requiring any protocol changes, so the only
thing to overcome here is the code smell.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Possibly Parallel Threads
- scp host1:file1 host2:file2 -> Permission denied??????
- ownership permissions on files replaced via scp -- bug or feature?
- [Bug 2210] New: scp -q isn't quiet when copying between two remote hosts
- [Bug 1164] scp with spaces username no longer works
- [Bug 985] scp doesn't honor local ~/.ssh/config for host2