[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[sr #110690] can't upload

From: Bob Proulx
Subject: [sr #110690] can't upload
Date: Thu, 18 Aug 2022 18:23:43 -0400 (EDT)

Update of sr #110690 (project administration):

                  Status:                    None => Done                   
             Assigned to:                    None => rwp                    
             Open/Closed:                    Open => Closed                 


Follow-up Comment #4:

Done.  Updated.  Please try it again now.

The root cause of this problem is almost certainly that recently you have
upgraded your system to OpenSSH 9.0 and the upstream OpenSSH at 9.0 has
switched the internal protocol of scp from the legacy (and problematic)
scp/rcp protocol to using sftp internally instead.  This is actually a very
good upgrade and I welcome it but the result was that it switched the protocol
to one that has been blocked due to a security concern.

Just for completeness I will say that OpenSSH provides the scp -O option to
use the previous now obsolete scp protocol.  That would have forced use of the
old scp protocol and worked.  But it is not needed because I reviewed the
issue with sftp and believe it is not a problem for Savannah due to the
special nature of Savannah only hosting Free Software and nothing more.

In 2016 Sylvain Beucler reported a security issue with use of the sftp
protocol such that members may access as themselves the raw file system.  On
other systems that would be a problem of information leakage.  But on Savannah
all of the files are accessible from the public side of things already.  There
isn't anything visible from this information leakage hack that isn't already
visible by other means.  Therefore I have enabled the sftp protocol again
regardless of the possible leakage to members.

I have updated the documentation for the scp and rsync commands.

In particular your original scp command should work okay now.  And also when
using rsync do not use the -a option, for other reasons unrelated to this
report that attempts a chown operation which is blocked and results in a hang
and failure.  Using -t is sufficient.

Due to the change in security policy I will raise this for further discussion
with the other admin team members.  If no one sees a problem with this line of
reasoning then everything will stay this way for the future.  If concerns are
raised however then we will need to update the policy to react to it.


Reply to this item at:


Message sent via Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]