openssh unix dev - Mar 2001 - OpenSSH/scp ->> F-Secure SSH server Problems

Hi,

Is there some know problem between the 'scp' client in OpenSSH 2.5.1p1
and
F-Secure's SSH 2.4.0 server?  The client is running on a Linux (2.2.17) box
and server is running on Win2K.  When I try to transfer files it asks me for
the password (which I provide) then it hangs.  Using 'scp -v' didn't
provide
any helpful info; it's as though the problem happened before the
authentication completed.  I've looked through both the openssh-unix-dev and
secure-shell list archives and I haven't seen any issue between the two.


-Ricardo

Thanks VERY much, Antti!  We've been working on this problem since Friday
with no success.  I'll do some testing with the OpenSSH 'sftp'
client in our
scripts to see if can make it work for our needs.


-Ricardo

-----Original Message-----
From: Antti Akonniemi [mailto:Antti.Akonniemi at F-Secure.com]
Sent: Wednesday, March 07, 2001 4:24 AM
To: Davis, Ricardo C.
Subject: Re: OpenSSH/scp ->> F-Secure SSH server Problems


Ok here's what I found in testing:

OpenSSH's scp seems not be SSH2 compatible
OpenSSH's sftp seems to work without any problems (use this)

I'm still puzzled how the scp let's you authenticate your self.. but the
problem seems to be still on the openssh side.

Hope this helped,

Antti

"Davis, Ricardo C." wrote:
> 
> Hi,
> 
> Is there some know problem between the 'scp' client in OpenSSH
2.5.1p1 and
> F-Secure's SSH 2.4.0 server?  The client is running on a Linux (2.2.17)
box
> and server is running on Win2K.  When I try to transfer files it asks me
for
> the password (which I provide) then it hangs.  Using 'scp -v'
didn't
provide
> any helpful info; it's as though the problem happened before the
> authentication completed.  I've looked through both the
openssh-unix-dev
and
> secure-shell list archives and I haven't seen any issue between the
two.
> 
> -Ricardo
-- 
 Antti Akonniemi                   tel: +358 9 2520 5205
 Quality Engineer, CFSFE           fax : +358 9 2520 5001
                                   mobile: +358 40 505 1909
 F-Secure Corporation              http://www.F-Secure.com
 
 F-Secure: Securing the Mobile, Distributed Enterprise

Thanks for your reply, Ben.

If I'm reading your response correctly, 'scp' actually uses SSH1
protocol to
transfer files.  My assumption was that 'scp', by using the
'ssh' client,
would operate based on the settings in the /etc/ssh/ssh_config file.  In
this file the site-wide default settings I have "Protocol 2", that is
that
the 'ssh' client would always use SSH2 protocol unless I specify SSH1
protocol at the command line.  I guess I was wrong here.  However, reading
the 'man' pages for 'scp' and 'ssh' would lead to the
conclusion that is
possible.  To satisfy my curiosity, I tried using the scp '-o' option to
pass the '-2' option to 'ssh' -- which forces 'ssh' to
force SSH2.  The
result:

$ scp -o -2 fci07230.998 ricardo at 205.215.35.38:
command-line: line 0: Bad configuration option: -2
lost connection

I guess this means that scp will not allow the use of '-2' for the
transfer,
correct?  Perhaps the 'scp' man page needs to explicitly state the
limitation that it can only use SSH1.  I was unaware that there was a
different implementation of secure copy that allowed the use of SSH2 (that
is, scp2).


-Ricardo

-----Original Message-----
From: mouring at etoh.eviladmin.org [mailto:mouring at etoh.eviladmin.org]
Sent: Wednesday, March 07, 2001 10:20 AM
To: Davis, Ricardo C.
Cc: 'Antti Akonniemi'
Subject: RE: OpenSSH/scp ->> F-Secure SSH server Problems



OpenSSH will allow for authentication because scp2 like scp and sftp
uses the 'ssh' program to create the secure connection.  Thus allowing
scp2, scp, and sftp to be non-setuid root binaries.

There is talk about implementing scp2 for OpenSSH, but I think that
features first need to be added to sftp before we write an scp2 wrapper
around sftp.

Hopefully in the near future we will have scp2 support.  We just acquired
sftp client support within the last month.

- Ben

On Wed, 7 Mar 2001, Davis, Ricardo C. wrote:
> Thanks VERY much, Antti!  We've been working on this problem since
Friday
> with no success.  I'll do some testing with the OpenSSH 'sftp'
client in
our
> scripts to see if can make it work for our needs.
> 
> 
> -Ricardo
> 
> -----Original Message-----
> From: Antti Akonniemi [mailto:Antti.Akonniemi at F-Secure.com]
> Sent: Wednesday, March 07, 2001 4:24 AM
> To: Davis, Ricardo C.
> Subject: Re: OpenSSH/scp ->> F-Secure SSH server Problems
> 
> 
> Ok here's what I found in testing:
> 
> OpenSSH's scp seems not be SSH2 compatible
> OpenSSH's sftp seems to work without any problems (use this)
> 
> I'm still puzzled how the scp let's you authenticate your self..
but the
> problem seems to be still on the openssh side.
> 
> Hope this helped,
> 
> Antti
> 
> "Davis, Ricardo C." wrote:
> > 
> > Hi,
> > 
> > Is there some know problem between the 'scp' client in OpenSSH
2.5.1p1
and
> > F-Secure's SSH 2.4.0 server?  The client is running on a Linux
(2.2.17)
> box
> > and server is running on Win2K.  When I try to transfer files it asks
me
> for
> > the password (which I provide) then it hangs.  Using 'scp -v'
didn't
> provide
> > any helpful info; it's as though the problem happened before the
> > authentication completed.  I've looked through both the
openssh-unix-dev
> and
> > secure-shell list archives and I haven't seen any issue between
the two.
> > 
> > -Ricardo
> 
>

On Tue, 6 Mar 2001, Davis, Ricardo C. wrote:
> Hi,
> 
> Is there some know problem between the 'scp' client in OpenSSH
2.5.1p1 and
> F-Secure's SSH 2.4.0 server?  The client is running on a Linux (2.2.17)
box
> and server is running on Win2K.  When I try to transfer files it asks me
for
> the password (which I provide) then it hangs.  Using 'scp -v'
didn't provide
> any helpful info; it's as though the problem happened before the
> authentication completed.  I've looked through both the
openssh-unix-dev and
> secure-shell list archives and I haven't seen any issue between the
two.
> 
This has come up before.. F-Secure uses scp2  which is scp over sftp
subsytem.  Where OpenSSH only supports scp which is rcp over ssh.

I suggest you check out the sftp client provided in the latest release of
OpenSSH for transfer compatiblity with F-Secure.  When time permits I'm
sure someone will write an scp2 replacement for OpenSSH, but I believe our
sftp client needs improvement before we write an scp2 replacement.

- Ben

[ On Tuesday, March 6, 2001 at 18:47:10 (-0500), Davis, Ricardo C. wrote:
]
> Subject: OpenSSH/scp ->> F-Secure SSH server Problems
>
> Is there some know problem between the 'scp' client in OpenSSH
2.5.1p1 and
> F-Secure's SSH 2.4.0 server?  The client is running on a Linux (2.2.17)
box
> and server is running on Win2K.  When I try to transfer files it asks me
for
> the password (which I provide) then it hangs.  Using 'scp -v'
didn't provide
> any helpful info; it's as though the problem happened before the
> authentication completed.  I've looked through both the
openssh-unix-dev and
> secure-shell list archives and I haven't seen any issue between the
two.
OpenSSH does not yet seem to implement server support for SSH-v2.4's
"scp" which now, for reasons that mystify me greatly, seems to now
depend on sftp on the server side.

However I have not had any trouble with any OpenSSH client "scp"
talking
to an SSH-2.4 server.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods at acm.org>     
<robohack!woods>
Planix, Inc. <woods at planix.com>; Secrets of the Weird <woods at
weird.com>

> From: woods at weird.com [mailto:woods at weird.com]
> Sent: Sunday, March 11, 2001 8:31 AM
> 
> [ On Sunday, March 11, 2001 at 12:06:51 (+0100), Markus 
> Friedl wrote: ]
> > Subject: Re: OpenSSH/scp ->> F-Secure SSH server Problems
> >
> > On Sun, Mar 11, 2001 at 12:21:47AM -0500, Greg A. Woods wrote:
> > > OpenSSH does not yet seem to implement server support for 
> > > depend on sftp on the server side.
> > > 
> > > However I have not had any trouble with any OpenSSH 
> > you could install openssh's scp on the server then scp works 
> > from the openssh client.
> 
> But that's the part that works already.  It's SSH-2.4.0 client scp
to
> OpenSSH server that doesn't work (and which needs sftp server-side
> support).
> 
> (I don't really understand why rcp over ssh wasn't sufficient and
why
> SSH-2.4.0 now uses the sftp gunge to implement scp, but 
> perhaps there's
> a reasonable reason....)
I echo your lack of understanding. Sometimes, "if it ain't broke ...
don't
fix it" applies and if you *are* going to muck with it, create an
enhancement and leave the, working, original alone.

I've been using 1.2.27 (non-com), w/ the 2.0.13 patch, for quite a while
now. It works fine, but I'd really like to have a Win32 version of both. I
haven't gone to OpenSSH because of issues like what we're talking about
here
(however, I use OpenSSL quite a bit). I also don't understand the
fascination folks have for FTP. Anything that uses non-deterministic
dynamically reassigned ports is fundimentally insecurable. Full
authentication can only be accomplished when both sides of the connection
are fully deterministic. In short, sftp ain't... FTP must die. If you want
secure files distro, use https. If you want secure file uploads, scp does
the job nicely, or a Java uploader, under https. Getting the SSH/FTP(sftp)
kludge to work only weakens SSH.

Then maybe their is a serious disconnect. sftp was billed, to me, as
SSH+FTP. Was that wrong?
 Otherwise, what is the difference between scp and sftp? ... a user
interface that could probably be better done with a https page?
> -----Original Message-----
> From: Markus Friedl [mailto:markus.friedl at informatik.uni-erlangen.de]
> Sent: Sunday, March 11, 2001 3:50 PM
> To: Roeland Meyer
> Cc: 'ssh'; 'openssh-unix-dev at mindrot.org'
> Subject: Re: OpenSSH/scp ->> F-Secure SSH server Problems
> 
> 
> On Sun, Mar 11, 2001 at 01:37:34PM -0800, Roeland Meyer wrote:
> > I've been using 1.2.27 (non-com), w/ the 2.0.13 patch, for 
> quite a while
> > now. It works fine, but I'd really like to have a Win32 
> version of both. I
> > haven't gone to OpenSSH because of issues like what we're 
> talking about here
> > (however, I use OpenSSL quite a bit). I also don't understand the
> > fascination folks have for FTP. Anything that uses non-deterministic
> > dynamically reassigned ports is fundimentally insecurable. Full
> > authentication can only be accomplished when both sides of 
> the connection
> > are fully deterministic. In short, sftp ain't... FTP must 
> die. If you want
> > secure files distro, use https. If you want secure file 
> uploads, scp does
> > the job nicely, or a Java uploader, under https. Getting 
> the SSH/FTP(sftp)
> > kludge to work only weakens SSH.
> 
> this does not make sense to me.
> 
> SFTP is not at all related to FTP.
> 
> SFTP is not 'fundimentally insecurable'
> 
> SFTP is as secure as SCP.
>

On Sun, Mar 11, 2001 at 09:37:54PM -0800, Roeland Meyer
wrote:
> Then maybe their is a serious disconnect. sftp was billed, to me, as
> SSH+FTP. Was that wrong?
yes. SFTP != SSH+FTP
>  Otherwise, what is the difference between scp and sftp? 
the scp client speaks rsh over ssh
the sftp client speaks ietf-secsh-filexfer over ssh
the scp2 client speaks ietf-secsh-filexfer over ssh

-m

> 
> > I also don't understand the
> > fascination folks have for FTP. Anything that uses non-deterministic
> > dynamically reassigned ports is fundimentally insecurable.
> 
> In this case (i.e. in the case of wanting to "ftp" over SSH) the
issue
> is with the stupid user interface.  Naive users are looking for some SSH
> file copying tool that works just like their FTP clients, i.e. where
> they can see a list of files on the server and click/drag/whatever them
> to effect the copy.
Why do you need to use FTP over SSH when FTP is "securable" using any
number of methods?  The most common methods are

  SSL/TLS

  GSSAPI 

  Kerberos

  SRP


When using any of these methods both the command and data channels
used by FTP are authenticated, encrypted and integrity checked.  In
other words, they are secure.  

C-Kermit 7.1 provides an FTP client and supports all of the above
methods.  FTP daemons that implement the above protocols are available
from a number of sources depending on which protocol you wish to use.




 Jeffrey Altman * Sr.Software Designer      C-Kermit 7.1 Alpha available
 The Kermit Project @ Columbia University   includes Secure Telnet and FTP
 http://www.kermit-project.org/             using Kerberos, SRP, and 
 kermit-support at kermit-project.org          OpenSSL.  SSH soon to follow.