From 6bdb32a3f5cf114d398d0fdd7242083f27db1f30 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 8 Sep 2021 23:31:39 +0000 Subject: [PATCH] Use the SFTP protocol by default. The original scp/rcp protocol remains available via the -O flag. Note that ~user/ prefixed paths in SFTP mode require a protocol extension that was first shipped in OpenSSH 8.7. ok deraadt, after baking in snaps for a while without incident --- usr.bin/ssh/scp.1 | 42 ++++++++++++++++++++++-------------------- usr.bin/ssh/scp.c | 6 +++--- 2 files changed, 25 insertions(+), 23 deletions(-) diff --git a/usr.bin/ssh/scp.1 b/usr.bin/ssh/scp.1 index 68aac04b205..a96e95ad909 100644 --- a/usr.bin/ssh/scp.1 +++ b/usr.bin/ssh/scp.1 @@ -8,9 +8,9 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.100 2021/08/11 14:07:54 naddy Exp $ +.\" $OpenBSD: scp.1,v 1.101 2021/09/08 23:31:39 djm Exp $ .\" -.Dd $Mdocdate: August 11 2021 $ +.Dd $Mdocdate: September 8 2021 $ .Dt SCP 1 .Os .Sh NAME @@ -18,7 +18,7 @@ .Nd OpenSSH secure file copy .Sh SYNOPSIS .Nm scp -.Op Fl 346ABCOpqRrsTv +.Op Fl 346ABCOpqRrTv .Op Fl c Ar cipher .Op Fl D Ar sftp_server_path .Op Fl F Ar ssh_config @@ -37,9 +37,6 @@ It uses .Xr ssh 1 for data transfer, and uses the same authentication and provides the same security as a login session. -The scp protocol requires execution of the remote user's shell to perform -.Xr glob 3 -pattern matching. .Pp .Nm will ask for passwords or passphrases if they are needed for @@ -79,7 +76,9 @@ The options are as follows: Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts. -Note that, when using the legacy SCP protocol (the default), this option +Note that, when using the legacy SCP protocol (via the +.Fl O +flag), this option selects batch mode for the second host as .Nm cannot ask for passwords or passphrases for both hosts. @@ -146,9 +145,10 @@ Limits the used bandwidth, specified in Kbit/s. .It Fl O Use the legacy SCP protocol for file transfers instead of the SFTP protocol. Forcing the use of the SCP protocol may be necessary for servers that do -not implement SFTP or for backwards-compatibility for particular filename -wildcard patterns. -This mode is the default. +not implement SFTP, for backwards-compatibility for particular filename +wildcard patterns and for expanding paths with a +.Sq ~ +prefix for older SFTP servers. .It Fl o Ar ssh_option Can be used to pass options to .Nm ssh @@ -258,16 +258,6 @@ to use for the encrypted connection. The program must understand .Xr ssh 1 options. -.It Fl s -Use the SFTP protocol for file transfers instead of the legacy SCP protocol. -Using SFTP avoids invoking a shell on the remote side and provides -more predictable filename handling, as the SCP protocol -relied on the remote shell for expanding -.Xr glob 3 -wildcards. -.Pp -A near-future release of OpenSSH will make the SFTP protocol the default. -This option will be deleted before the end of 2022. .It Fl T Disable strict filename checking. By default when copying files from a remote host to a local directory @@ -299,11 +289,23 @@ debugging connection, authentication, and configuration problems. .Xr ssh_config 5 , .Xr sftp-server 8 , .Xr sshd 8 +.Sh CAVEATS +The original scp protocol (selected by the +.Fl O +flag) requires execution of the remote user's shell to perform +.Xr glob 3 +pattern matching. +This requires careful quoting of any characters that have special meaning to +the remote shell, such as quote characters. .Sh HISTORY .Nm is based on the rcp program in .Bx source code from the Regents of the University of California. +.Pp +Since OpenSSH 8.8, +.Nm +has use the SFTP protocol for transfers by default. .Sh AUTHORS .An Timo Rinne Aq Mt tri@iki.fi .An Tatu Ylonen Aq Mt ylo@cs.hut.fi diff --git a/usr.bin/ssh/scp.c b/usr.bin/ssh/scp.c index 941559da66e..ee0072eaffe 100644 --- a/usr.bin/ssh/scp.c +++ b/usr.bin/ssh/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.232 2021/08/11 14:07:54 naddy Exp $ */ +/* $OpenBSD: scp.c,v 1.233 2021/09/08 23:31:39 djm Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -422,7 +422,7 @@ main(int argc, char **argv) const char *errstr; extern char *optarg; extern int optind; - enum scp_mode_e mode = MODE_SCP; + enum scp_mode_e mode = MODE_SFTP; char *sftp_direct = NULL; /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ @@ -1942,7 +1942,7 @@ void usage(void) { (void) fprintf(stderr, - "usage: scp [-346ABCOpqRrsTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n" + "usage: scp [-346ABCOpqRrTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n" " [-i identity_file] [-J destination] [-l limit]\n" " [-o ssh_option] [-P port] [-S program] source ... target\n"); exit(1); -- 2.20.1