similar to: Deprecation of scp protocol and improving sftp client

On Tue, 2020-06-23 at 08:06 +0200, Markus Friedl wrote: > I had something in mind like this for years, but with slightly > different steps: > My naive approach would be to keep the scp user interface and switch > to the sftp protocol internally. We could add a -M [scp|sftp] option > to scp and select the internal protocol. Later we switch the default > from scp to sftp. > No

scp may be an ugly protocol, but it works, works nicely from a command line, and is quite convenient. FTP (and, presumably, sftp) is not nearly as convenient. Why do you think your recommendation to "use sftp instead" keeps falling on the deaf ear? Usability, perhaps? Perhaps it's time to stop preaching to people about what they should use, but instead - if you really want a change

Why can the local and remote paths be sanitized? Regards, Uri > On Jul 31, 2020, at 19:57, Ethan Rahn <ethan.rahn at gmail.com> wrote: > > ?I wanted to bring this up again due to: > https://github.com/cpandya2909/CVE-2020-15778/. This showcases a clear > issue with scp which it sounds like cannot be fixed without breaking scp. > This seems like it would lend some impetus

On 2020/08/05 16:17, raf wrote: > The problem is when, for example, you only have > scp/sftp access to a remote server, such as your bank, > and you use WinSCP to transfer transaction files to > them to be actioned (people do this where I work), and > the bank hasn't properly protected themselves from this > "vulnerability". I really hope all banks do take this >

Hi, OpenSSH 7.7p1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a bugfix release. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via git using the instructions at

Hi, OpenSSH 8.0p1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via git using the instructions at

Hi, the proposed fix for CVE-2019-6111 [1] adds file name validation to scp to prevent the server from sending files that the client actually did not request. Now, a consequence of that patch is that commands which contain server-side brace expansions such as $ scp remote:'/etc/{passwd,group}' . error: unexpected filename: passwd no longer work. Shell globs such as [abc], ?, *,

Hi Jakub, Sorry for the late reply. I was off from work for a few days. I?ve tried to add the noexec, nosuid and nodev mount options but it seems to have some difficulties to do so with kubernetes nfs-mount. I?ll keep trying to resolve it anyway. The patch you pasted is exactly the thing I wanna have. I think it?s super useful and I definitely vote yes for merging it to master. I was actually

Hi, OpenSSH 8.1p1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a bugfix release. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via git using the instructions at

Hi, I understand that if I specify `ForceCommand internal-sftp -u <umask>`, the permission of any files uploaded via sftp will be calculated by `<original permission> & ~umask`. However, this can be bypassed by the `-P` option of `put` command. We are developing a shared hosting platform, therefore we definitely don?t want our users being able to upload any executable files. We

https://bugzilla.mindrot.org/show_bug.cgi?id=2619 Bug ID: 2619 Summary: infinite loop, 100% cpu use in ssh if ^Z is pressed at password prompt Product: Portable OpenSSH Version: 7.3p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component:

On Mon, 4 Nov 2019 at 14:07, David Newall <openssh at davidnewall.com> wrote: > [about scp] That's just awful, and I should have > thought it was not at all necessary. Am I missing something? > If you're saying that the scp protocol is an unfixable mess then the openssh team has been agreeing[0] with you for at least a decade and a half. We fix what we can, but some

I conjecture that only few of the existing use cases rely on remote expansion. In any case (no pun intended), IMHO it would be better to break a few of the current use cases but leave the majority functional - than kill scp for all. Regards, Uri > On Aug 3, 2020, at 02:50, Jakub Jelen <jjelen at redhat.com> wrote: > > ?On Sat, 2020-08-01 at 00:17 +0000, Blumenthal, Uri - 0553

Hi all, We've run into a curious issue. We run CentOS 6.5 with openssh installed (OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 by default). We connect to this server through sftp (Subsystem sftp internal-sftp) using the java JSch library. When opening many sftp channels on a single ssh session OpenSsh does not seem to release the sftp channels closed from the client side when there are

Hi all, First, my apologies if this is not the right forum for this... if there is a more appropriate place to make OpenSSH feature requests, or if this feature already exists, please let me know. Some background: My company makes an 'embedded' audio server box that runs Debian Linux, and one of the product's features is that users can upload files to the server via SSH, using their

On Sun, 2018-01-07 at 18:41 +0000, halfdog wrote: > Hello list, > > I created a page to demonstrate, what would happen when chroot > root directory is writeable. In fact, code execution is possible > already, when only /etc and /bin are writable. I also tried to > escape the chroot jail, but that did not work for non-root users. > > As the 2009 CVE activities mention,

hi, Ran into a problem which I thought was an AIXism, but have since found that it can be reproduced on Linux and MacOS. It can NOT be reproduced on OpenBSD. Reproduced on: AIXv7.1 OpenSSH v6.0p1 RedHat 6.8 OpenSSH 5.4p1 Redhat 7.2 OpenSSH 6.6.1p1 MacOS 10.11 (sorry, forgot to grab the OpenSSH version) Could not reproduce on: OpenBSD 5.9-current, march snapshot, OpenSSH_7.2 OpenBSD

https://bugzilla.mindrot.org/show_bug.cgi?id=2687 Bug ID: 2687 Summary: Coverity scan fixes Product: Portable OpenSSH Version: 7.4p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at mindrot.org

https://bugzilla.mindrot.org/show_bug.cgi?id=2434 Bug ID: 2434 Summary: scp can send arbitrary control characters / escape sequences to the terminal Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: Linux Status: NEW Severity: security Priority: P5

I'd like to have sshd write entries into the systemd journal logging sftp transfers. From googling, it seems that one needs to edit /etc/ssh/sshd_config adding this line: Subsystem sftp /usr/lib/ssh/sftp-server -f AUTH -l VERBOSE I can transfer files via filezilla (sftp) but I don't get anything in `journalctl -u sshd` that shows these transfers, just a few lines showing I connected.