From f32839a5e47124933fc3998b69cacb52773ff1dd Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Sep 24 2021 14:51:04 +0000 Subject: Disabling SCP protocol as much as possible Resolves: rhbz#2001002 --- diff --git a/openssh-8.7p1-scp-kill-switch.patch b/openssh-8.7p1-scp-kill-switch.patch new file mode 100644 index 0000000..6710304 --- /dev/null +++ b/openssh-8.7p1-scp-kill-switch.patch @@ -0,0 +1,46 @@ +diff -up openssh-8.7p1/pathnames.h.kill-scp openssh-8.7p1/pathnames.h +--- openssh-8.7p1/pathnames.h.kill-scp 2021-09-16 11:37:57.240171687 +0200 ++++ openssh-8.7p1/pathnames.h 2021-09-16 11:42:29.183427917 +0200 +@@ -42,6 +42,7 @@ + #define _PATH_HOST_XMSS_KEY_FILE SSHDIR "/ssh_host_xmss_key" + #define _PATH_HOST_RSA_KEY_FILE SSHDIR "/ssh_host_rsa_key" + #define _PATH_DH_MODULI SSHDIR "/moduli" ++#define _PATH_SCP_KILL_SWITCH SSHDIR "/disable_scp" + + #ifndef _PATH_SSH_PROGRAM + #define _PATH_SSH_PROGRAM "/usr/bin/ssh" +diff -up openssh-8.7p1/scp.1.kill-scp openssh-8.7p1/scp.1 +--- openssh-8.7p1/scp.1.kill-scp 2021-09-16 12:09:02.646714578 +0200 ++++ openssh-8.7p1/scp.1 2021-09-16 12:26:49.978628226 +0200 +@@ -278,6 +278,13 @@ to print debugging messages about their + This is helpful in + debugging connection, authentication, and configuration problems. + .El ++.Pp ++Usage of SCP protocol can be blocked by creating a world-readable ++.Ar /etc/ssh/disable_scp ++file. If this file exists, when SCP protocol is in use (either remotely or ++via the ++.Fl O ++option), the program will exit. + .Sh EXIT STATUS + .Ex -std scp + .Sh SEE ALSO +diff -up openssh-8.7p1/scp.c.kill-scp openssh-8.7p1/scp.c +--- openssh-8.7p1/scp.c.kill-scp 2021-09-16 11:42:56.013650519 +0200 ++++ openssh-8.7p1/scp.c 2021-09-16 11:53:03.249713836 +0200 +@@ -596,6 +596,14 @@ main(int argc, char **argv) + if (iamremote) + mode = MODE_SCP; + ++ if (mode == MODE_SCP) { ++ FILE *f = fopen(_PATH_SCP_KILL_SWITCH, "r"); ++ if (f != NULL) { ++ fclose(f); ++ fatal("SCP protocol is forbidden via %s", _PATH_SCP_KILL_SWITCH); ++ } ++ } ++ + if ((pwd = getpwuid(userid = getuid())) == NULL) + fatal("unknown user %u", (u_int) userid); + diff --git a/openssh-8.7p1-sftp-default-protocol.patch b/openssh-8.7p1-sftp-default-protocol.patch new file mode 100644 index 0000000..ec25944 --- /dev/null +++ b/openssh-8.7p1-sftp-default-protocol.patch @@ -0,0 +1,129 @@ +diff --git a/scp.1 b/scp.1 +index 68aac04b..a96e95ad 100644 +--- a/scp.1 ++++ b/scp.1 +@@ -8,9 +8,9 @@ + .\" + .\" Created: Sun May 7 00:14:37 1995 ylo + .\" +-.\" $OpenBSD: scp.1,v 1.100 2021/08/11 14:07:54 naddy Exp $ ++.\" $OpenBSD: scp.1,v 1.101 2021/09/08 23:31:39 djm Exp $ + .\" +-.Dd $Mdocdate: August 11 2021 $ ++.Dd $Mdocdate: September 8 2021 $ + .Dt SCP 1 + .Os + .Sh NAME +@@ -18,7 +18,7 @@ + .Nd OpenSSH secure file copy + .Sh SYNOPSIS + .Nm scp +-.Op Fl 346ABCOpqRrsTv ++.Op Fl 346ABCOpqRrTv + .Op Fl c Ar cipher + .Op Fl D Ar sftp_server_path + .Op Fl F Ar ssh_config +@@ -37,9 +37,6 @@ It uses + .Xr ssh 1 + for data transfer, and uses the same authentication and provides the + same security as a login session. +-The scp protocol requires execution of the remote user's shell to perform +-.Xr glob 3 +-pattern matching. + .Pp + .Nm + will ask for passwords or passphrases if they are needed for +@@ -79,7 +76,9 @@ The options are as follows: + Copies between two remote hosts are transferred through the local host. + Without this option the data is copied directly between the two remote + hosts. +-Note that, when using the legacy SCP protocol (the default), this option ++Note that, when using the legacy SCP protocol (via the ++.Fl O ++flag), this option + selects batch mode for the second host as + .Nm + cannot ask for passwords or passphrases for both hosts. +@@ -146,9 +145,10 @@ Limits the used bandwidth, specified in Kbit/s. + .It Fl O + Use the legacy SCP protocol for file transfers instead of the SFTP protocol. + Forcing the use of the SCP protocol may be necessary for servers that do +-not implement SFTP or for backwards-compatibility for particular filename +-wildcard patterns. +-This mode is the default. ++not implement SFTP, for backwards-compatibility for particular filename ++wildcard patterns and for expanding paths with a ++.Sq ~ ++prefix for older SFTP servers. + .It Fl o Ar ssh_option + Can be used to pass options to + .Nm ssh +@@ -258,16 +258,6 @@ to use for the encrypted connection. + The program must understand + .Xr ssh 1 + options. +-.It Fl s +-Use the SFTP protocol for file transfers instead of the legacy SCP protocol. +-Using SFTP avoids invoking a shell on the remote side and provides +-more predictable filename handling, as the SCP protocol +-relied on the remote shell for expanding +-.Xr glob 3 +-wildcards. +-.Pp +-A near-future release of OpenSSH will make the SFTP protocol the default. +-This option will be deleted before the end of 2022. + .It Fl T + Disable strict filename checking. + By default when copying files from a remote host to a local directory +@@ -299,11 +289,23 @@ debugging connection, authentication, and configuration problems. + .Xr ssh_config 5 , + .Xr sftp-server 8 , + .Xr sshd 8 ++.Sh CAVEATS ++The original scp protocol (selected by the ++.Fl O ++flag) requires execution of the remote user's shell to perform ++.Xr glob 3 ++pattern matching. ++This requires careful quoting of any characters that have special meaning to ++the remote shell, such as quote characters. + .Sh HISTORY + .Nm + is based on the rcp program in + .Bx + source code from the Regents of the University of California. ++.Pp ++Since OpenSSH 8.8 (8.7 in Red Hat/Fedora builds), ++.Nm ++has use the SFTP protocol for transfers by default. + .Sh AUTHORS + .An Timo Rinne Aq Mt tri@iki.fi + .An Tatu Ylonen Aq Mt ylo@cs.hut.fi +diff --git a/scp.c b/scp.c +index e039350c..c7cf7529 100644 +--- a/scp.c ++++ b/scp.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: scp.c,v 1.232 2021/08/11 14:07:54 naddy Exp $ */ ++/* $OpenBSD: scp.c,v 1.233 2021/09/08 23:31:39 djm Exp $ */ + /* + * scp - secure remote copy. This is basically patched BSD rcp which + * uses ssh to do the data transfer (instead of using rcmd). +@@ -448,7 +448,7 @@ main(int argc, char **argv) + const char *errstr; + extern char *optarg; + extern int optind; +- enum scp_mode_e mode = MODE_SCP; ++ enum scp_mode_e mode = MODE_SFTP; + char *sftp_direct = NULL; + + /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ +@@ -1983,7 +1983,7 @@ void + usage(void) + { + (void) fprintf(stderr, +- "usage: scp [-346ABCOpqRrsTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n" ++ "usage: scp [-346ABCOpqRrTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n" + " [-i identity_file] [-J destination] [-l limit]\n" + " [-o ssh_option] [-P port] [-S program] source ... target\n"); + exit(1); diff --git a/openssh.spec b/openssh.spec index 0bd94ad..aeaaf74 100644 --- a/openssh.spec +++ b/openssh.spec @@ -193,6 +193,10 @@ Patch966: openssh-8.2p1-x11-without-ipv6.patch Patch974: openssh-8.0p1-keygen-strip-doseol.patch # sshd provides PAM an incorrect error code (#1879503) Patch975: openssh-8.0p1-preserve-pam-errors.patch +# Use SFTP protocol by default for scp command +Patch976: openssh-8.7p1-sftp-default-protocol.patch +# Implement kill switch for SCP protocol +Patch977: openssh-8.7p1-scp-kill-switch.patch License: BSD Requires: /sbin/nologin @@ -368,6 +372,8 @@ popd %patch966 -p1 -b .x11-ipv6 %patch974 -p1 -b .keygen-strip-doseol %patch975 -p1 -b .preserve-pam-errors +%patch976 -p1 -b .sftp-by-default +%patch977 -p1 -b .kill-scp %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race @@ -653,7 +659,10 @@ test -f %{sysconfig_anaconda} && \ %changelog * Fri Sep 24 2021 Dmitry Belyavskiy - 8.7p1-1 + 0.10.4-4 -- New upstream release (#2001002) +- New upstream release +- Switch to SFTP protocol in scp utility by default +- Enable SCP protocol kill switch + Related: rhbz#2001002 * Mon Aug 09 2021 Mohan Boddu - 8.6p1-7.1 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags