One of the most important security changes for OpenSSH in Red Hat Enterprise Linux (RHEL) 9 is the deprecation of the SCP protocol.
These are the changes that we have implemented:
The scp command line tool uses the SFTP protocol for file transfers by default.
Usage of the SCP protocol can be restored using the newly added -O option.
Usage of the SCP protocol can be completely disabled on the system. If the file /etc/ssh/disable_scp exists, any attempt to use the SCP protocol will fail.
We’re making this change because the SCP protocol is decades old, and carries multiple security risks and issues that have no straightforward solutions. New issues are being reported frequently (CVE-2020-15778 is the most recent as of this writing, but we can’t be sure it will be the last) and it is rather difficult to fix them all properly because the protocol is inherently trustworthy of authenticated sessions.
For this reason, some RHEL customers wish to completely disable the SCP protocol in their systems. At the same time, we have SFTP, a well-defined protocol that covers most of SCP’s use cases, so it makes sense to switch to the better protocol.
Patch development and adoption
The initial patch implementing the switch was written by Jakub Jelen, the Red Hatter who maintained the OpenSSH package for several years and who knows the toolkit’s internals very well. In 2021, Jelen’s patch was accepted upstream with minor tweaks. Since then, it has been updated with several compatibility tweaks to better match the SCP behavior and to correctly handle what corner cases have been discovered so far.
Though upstream has delayed switching to the SFTP protocol by default, we decided to switch completely in RHEL 9. A major release is the proper time to introduce changes of this nature, because those who migrate to the new major versions are more likely to expect possible incompatibilities.
Differences between SCP and SFTP protocols
We are aware of several differences in the behaviors of the SCP and SFTP protocols. For example, when copying files, the SCP utility follows symlinks and SFTP doesn't. This has been fixed upstream and these changes have been incorporated in our product. There are differences in the glob pattern expansion, as well, but these incompatibilities will remain at this time.
Another difference between the protocols is in the expansion of ~-based path processing. OpenSSH 8.7 and later versions support a special SFTP extension to deal with this expansion. Unfortunately, this extension is not supported in earlier versions, so copying folders from a new version of RHEL to an old one is going to fail if ~ path processing is used. In such cases, the recommended fix is to provide absolute paths.
What to do if this change affects your system
If this change affects your system, you have several options. Ideally, upgrade the legacy system to a recent version of RHEL. If you cannot do this, you can use the SCP protocol when necessary - it requires an explicit usage of the -O option.
But if you add this option to your scripts, you should consider that:
The SCP protocol is less secure than the SFTP protocol and represents certain security risks (see CVE-2020-15778 as an example).
It is planned to be eliminated in one of the upcoming major releases of Red Hat Enterprise Linux.
It will not work if the target system has completely disabled the SCP protocol.
It’s also possible and feasible to use rsync instead of the scp utility. Rsync uses its own protocol for file transfer, and ssh is used for transport protection.
If you would like to learn more about RHEL security, visit the Red Hat Product Security Center.
執筆者紹介
類似検索
チャンネル別に見る
自動化
テクノロジー、チームおよび環境に関する IT 自動化の最新情報
AI (人工知能)
お客様が AI ワークロードをどこでも自由に実行することを可能にするプラットフォームについてのアップデート
オープン・ハイブリッドクラウド
ハイブリッドクラウドで柔軟に未来を築く方法をご確認ください。
セキュリティ
環境やテクノロジー全体に及ぶリスクを軽減する方法に関する最新情報
エッジコンピューティング
エッジでの運用を単純化するプラットフォームのアップデート
インフラストラクチャ
世界有数のエンタープライズ向け Linux プラットフォームの最新情報
アプリケーション
アプリケーションの最も困難な課題に対する Red Hat ソリューションの詳細
オリジナル番組
エンタープライズ向けテクノロジーのメーカーやリーダーによるストーリー
製品
ツール
試用、購入、販売
コミュニケーション
Red Hat について
エンタープライズ・オープンソース・ソリューションのプロバイダーとして世界をリードする Red Hat は、Linux、クラウド、コンテナ、Kubernetes などのテクノロジーを提供しています。Red Hat は強化されたソリューションを提供し、コアデータセンターからネットワークエッジまで、企業が複数のプラットフォームおよび環境間で容易に運用できるようにしています。
言語を選択してください
Red Hat legal and privacy links
- Red Hat について
- 採用情報
- イベント
- 各国のオフィス
- Red Hat へのお問い合わせ
- Red Hat ブログ
- ダイバーシティ、エクイティ、およびインクルージョン
- Cool Stuff Store
- Red Hat Summit