One of the most important security changes for OpenSSH in Red Hat Enterprise Linux (RHEL) 9 is the deprecation of the SCP protocol.
These are the changes that we have implemented:
The scp command line tool uses the SFTP protocol for file transfers by default.
Usage of the SCP protocol can be restored using the newly added -O option.
Usage of the SCP protocol can be completely disabled on the system. If the file /etc/ssh/disable_scp exists, any attempt to use the SCP protocol will fail.
We’re making this change because the SCP protocol is decades old, and carries multiple security risks and issues that have no straightforward solutions. New issues are being reported frequently (CVE-2020-15778 is the most recent as of this writing, but we can’t be sure it will be the last) and it is rather difficult to fix them all properly because the protocol is inherently trustworthy of authenticated sessions.
For this reason, some RHEL customers wish to completely disable the SCP protocol in their systems. At the same time, we have SFTP, a well-defined protocol that covers most of SCP’s use cases, so it makes sense to switch to the better protocol.
Patch development and adoption
The initial patch implementing the switch was written by Jakub Jelen, the Red Hatter who maintained the OpenSSH package for several years and who knows the toolkit’s internals very well. In 2021, Jelen’s patch was accepted upstream with minor tweaks. Since then, it has been updated with several compatibility tweaks to better match the SCP behavior and to correctly handle what corner cases have been discovered so far.
Though upstream has delayed switching to the SFTP protocol by default, we decided to switch completely in RHEL 9. A major release is the proper time to introduce changes of this nature, because those who migrate to the new major versions are more likely to expect possible incompatibilities.
Differences between SCP and SFTP protocols
We are aware of several differences in the behaviors of the SCP and SFTP protocols. For example, when copying files, the SCP utility follows symlinks and SFTP doesn't. This has been fixed upstream and these changes have been incorporated in our product. There are differences in the glob pattern expansion, as well, but these incompatibilities will remain at this time.
Another difference between the protocols is in the expansion of ~-based path processing. OpenSSH 8.7 and later versions support a special SFTP extension to deal with this expansion. Unfortunately, this extension is not supported in earlier versions, so copying folders from a new version of RHEL to an old one is going to fail if ~ path processing is used. In such cases, the recommended fix is to provide absolute paths.
What to do if this change affects your system
If this change affects your system, you have several options. Ideally, upgrade the legacy system to a recent version of RHEL. If you cannot do this, you can use the SCP protocol when necessary - it requires an explicit usage of the -O option.
But if you add this option to your scripts, you should consider that:
The SCP protocol is less secure than the SFTP protocol and represents certain security risks (see CVE-2020-15778 as an example).
It is planned to be eliminated in one of the upcoming major releases of Red Hat Enterprise Linux.
It will not work if the target system has completely disabled the SCP protocol.
It’s also possible and feasible to use rsync instead of the scp utility. Rsync uses its own protocol for file transfer, and ssh is used for transport protection.
If you would like to learn more about RHEL security, visit the Red Hat Product Security Center.