One of the most important security changes for OpenSSH in Red Hat Enterprise Linux (RHEL) 9 is the deprecation of the SCP protocol.
These are the changes that we have implemented:
The scp command line tool uses the SFTP protocol for file transfers by default.
Usage of the SCP protocol can be restored using the newly added -O option.
Usage of the SCP protocol can be completely disabled on the system. If the file /etc/ssh/disable_scp exists, any attempt to use the SCP protocol will fail.
We’re making this change because the SCP protocol is decades old, and carries multiple security risks and issues that have no straightforward solutions. New issues are being reported frequently (CVE-2020-15778 is the most recent as of this writing, but we can’t be sure it will be the last) and it is rather difficult to fix them all properly because the protocol is inherently trustworthy of authenticated sessions.
For this reason, some RHEL customers wish to completely disable the SCP protocol in their systems. At the same time, we have SFTP, a well-defined protocol that covers most of SCP’s use cases, so it makes sense to switch to the better protocol.
Patch development and adoption
The initial patch implementing the switch was written by Jakub Jelen, the Red Hatter who maintained the OpenSSH package for several years and who knows the toolkit’s internals very well. In 2021, Jelen’s patch was accepted upstream with minor tweaks. Since then, it has been updated with several compatibility tweaks to better match the SCP behavior and to correctly handle what corner cases have been discovered so far.
Though upstream has delayed switching to the SFTP protocol by default, we decided to switch completely in RHEL 9. A major release is the proper time to introduce changes of this nature, because those who migrate to the new major versions are more likely to expect possible incompatibilities.
Differences between SCP and SFTP protocols
We are aware of several differences in the behaviors of the SCP and SFTP protocols. For example, when copying files, the SCP utility follows symlinks and SFTP doesn't. This has been fixed upstream and these changes have been incorporated in our product. There are differences in the glob pattern expansion, as well, but these incompatibilities will remain at this time.
Another difference between the protocols is in the expansion of ~-based path processing. OpenSSH 8.7 and later versions support a special SFTP extension to deal with this expansion. Unfortunately, this extension is not supported in earlier versions, so copying folders from a new version of RHEL to an old one is going to fail if ~ path processing is used. In such cases, the recommended fix is to provide absolute paths.
What to do if this change affects your system
If this change affects your system, you have several options. Ideally, upgrade the legacy system to a recent version of RHEL. If you cannot do this, you can use the SCP protocol when necessary - it requires an explicit usage of the -O option.
But if you add this option to your scripts, you should consider that:
The SCP protocol is less secure than the SFTP protocol and represents certain security risks (see CVE-2020-15778 as an example).
It is planned to be eliminated in one of the upcoming major releases of Red Hat Enterprise Linux.
It will not work if the target system has completely disabled the SCP protocol.
It’s also possible and feasible to use rsync instead of the scp utility. Rsync uses its own protocol for file transfer, and ssh is used for transport protection.
If you would like to learn more about RHEL security, visit the Red Hat Product Security Center.
저자 소개
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리