One of the most important security changes for OpenSSH in Red Hat Enterprise Linux (RHEL) 9 is the deprecation of the SCP protocol.
These are the changes that we have implemented:
The scp command line tool uses the SFTP protocol for file transfers by default.
Usage of the SCP protocol can be restored using the newly added -O option.
Usage of the SCP protocol can be completely disabled on the system. If the file /etc/ssh/disable_scp exists, any attempt to use the SCP protocol will fail.
We’re making this change because the SCP protocol is decades old, and carries multiple security risks and issues that have no straightforward solutions. New issues are being reported frequently (CVE-2020-15778 is the most recent as of this writing, but we can’t be sure it will be the last) and it is rather difficult to fix them all properly because the protocol is inherently trustworthy of authenticated sessions.
For this reason, some RHEL customers wish to completely disable the SCP protocol in their systems. At the same time, we have SFTP, a well-defined protocol that covers most of SCP’s use cases, so it makes sense to switch to the better protocol.
Patch development and adoption
The initial patch implementing the switch was written by Jakub Jelen, the Red Hatter who maintained the OpenSSH package for several years and who knows the toolkit’s internals very well. In 2021, Jelen’s patch was accepted upstream with minor tweaks. Since then, it has been updated with several compatibility tweaks to better match the SCP behavior and to correctly handle what corner cases have been discovered so far.
Though upstream has delayed switching to the SFTP protocol by default, we decided to switch completely in RHEL 9. A major release is the proper time to introduce changes of this nature, because those who migrate to the new major versions are more likely to expect possible incompatibilities.
Differences between SCP and SFTP protocols
We are aware of several differences in the behaviors of the SCP and SFTP protocols. For example, when copying files, the SCP utility follows symlinks and SFTP doesn't. This has been fixed upstream and these changes have been incorporated in our product. There are differences in the glob pattern expansion, as well, but these incompatibilities will remain at this time.
Another difference between the protocols is in the expansion of ~-based path processing. OpenSSH 8.7 and later versions support a special SFTP extension to deal with this expansion. Unfortunately, this extension is not supported in earlier versions, so copying folders from a new version of RHEL to an old one is going to fail if ~ path processing is used. In such cases, the recommended fix is to provide absolute paths.
What to do if this change affects your system
If this change affects your system, you have several options. Ideally, upgrade the legacy system to a recent version of RHEL. If you cannot do this, you can use the SCP protocol when necessary - it requires an explicit usage of the -O option.
But if you add this option to your scripts, you should consider that:
The SCP protocol is less secure than the SFTP protocol and represents certain security risks (see CVE-2020-15778 as an example).
It is planned to be eliminated in one of the upcoming major releases of Red Hat Enterprise Linux.
It will not work if the target system has completely disabled the SCP protocol.
It’s also possible and feasible to use rsync instead of the scp utility. Rsync uses its own protocol for file transfer, and ssh is used for transport protection.
If you would like to learn more about RHEL security, visit the Red Hat Product Security Center.
À propos de l'auteur
Contenu similaire
Parcourir par canal
Automatisation
Les dernières nouveautés en matière d'automatisation informatique pour les technologies, les équipes et les environnements
Intelligence artificielle
Actualité sur les plateformes qui permettent aux clients d'exécuter des charges de travail d'IA sur tout type d'environnement
Cloud hybride ouvert
Découvrez comment créer un avenir flexible grâce au cloud hybride
Sécurité
Les dernières actualités sur la façon dont nous réduisons les risques dans tous les environnements et technologies
Edge computing
Actualité sur les plateformes qui simplifient les opérations en périphérie
Infrastructure
Les dernières nouveautés sur la plateforme Linux d'entreprise leader au monde
Applications
À l’intérieur de nos solutions aux défis d’application les plus difficiles
Programmes originaux
Histoires passionnantes de créateurs et de leaders de technologies d'entreprise
Produits
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Services cloud
- Voir tous les produits
Outils
- Formation et certification
- Mon compte
- Assistance client
- Ressources développeurs
- Rechercher un partenaire
- Red Hat Ecosystem Catalog
- Calculateur de valeur Red Hat
- Documentation
Essayer, acheter et vendre
Communication
- Contacter le service commercial
- Contactez notre service clientèle
- Contacter le service de formation
- Réseaux sociaux
À propos de Red Hat
Premier éditeur mondial de solutions Open Source pour les entreprises, nous fournissons des technologies Linux, cloud, de conteneurs et Kubernetes. Nous proposons des solutions stables qui aident les entreprises à jongler avec les divers environnements et plateformes, du cœur du datacenter à la périphérie du réseau.
Sélectionner une langue
Red Hat legal and privacy links
- À propos de Red Hat
- Carrières
- Événements
- Bureaux
- Contacter Red Hat
- Lire le blog Red Hat
- Diversité, équité et inclusion
- Cool Stuff Store
- Red Hat Summit