From 391ca67fb978252c48d20c910553f803f988bd37 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Tue, 10 Aug 2021 03:33:34 +0000 Subject: [PATCH] upstream: Prepare for a future where scp(1) uses the SFTP protocol by default. Replace recently added -M option to select the protocol with -O (olde) and -s (SFTP) flags, and label the -s flag with a clear warning that it will be removed in the near future (so no, don't use it in scripts!). prompted by/feedback from deraadt@ OpenBSD-Commit-ID: 92ad72cc6f0023c9be9e316d8b30eb6d8d749cfc --- scp.1 | 34 +++++++++++++++++++++------------- scp.c | 23 ++++++++++------------- 2 files changed, 31 insertions(+), 26 deletions(-) diff --git a/scp.1 b/scp.1 index c06ecf68d..972269af7 100644 --- a/scp.1 +++ b/scp.1 @@ -8,9 +8,9 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.98 2021/08/09 23:56:36 djm Exp $ +.\" $OpenBSD: scp.1,v 1.99 2021/08/10 03:33:34 djm Exp $ .\" -.Dd $Mdocdate: August 9 2021 $ +.Dd $Mdocdate: August 10 2021 $ .Dt SCP 1 .Os .Sh NAME @@ -18,14 +18,13 @@ .Nd OpenSSH secure file copy .Sh SYNOPSIS .Nm scp -.Op Fl 346ABCpqRrTv +.Op Fl 346ABCOpqRrsTv .Op Fl c Ar cipher .Op Fl D Ar sftp_server_path .Op Fl F Ar ssh_config .Op Fl i Ar identity_file .Op Fl J Ar destination .Op Fl l Ar limit -.Op Fl M Ar scp | sftp .Op Fl o Ar ssh_option .Op Fl P Ar port .Op Fl S Ar program @@ -112,7 +111,7 @@ Selects the cipher to use for encrypting the data transfer. This option is directly passed to .Xr ssh 1 . .It Fl D Ar sftp_server_path -When using the experimental SFTP protocol support via +When using the SFTP protocol support via .Fl M , connect directly to a local SFTP server program rather than a remote one via @@ -144,14 +143,12 @@ This option is directly passed to .Xr ssh 1 . .It Fl l Ar limit Limits the used bandwidth, specified in Kbit/s. -.It Fl M Ar scp | sftp -Specifies a mode which will be used to transfer files. -The default is to use the original -.Cm scp -protocol. -Alternately, experimental support for using the -.Cm sftp -protocol is available. +.It Fl O +Use the legacy SCP protocol for file transfers instead of the SFTP protocol. +Forcing the use of the SCP protocol may be necessary for servers that do +not implement SFTP or for backwards-compatibility for particular filename +wildcard patterns. +This mode is the default. .It Fl o Ar ssh_option Can be used to pass options to .Nm ssh @@ -261,6 +258,16 @@ to use for the encrypted connection. The program must understand .Xr ssh 1 options. +.It Fl s +Use the SFTP protocol for file transfers instead of the legacy SCP protocol. +Using SFTP provides avoids invoking a shell on the remote side and provides +more predictable filename handling, as the SCP protocol +relied on the remote shell for expanding +.Xr glob 3 +wildcards. +.Pp +A near-future release of OpenSSH will make the SFTP protocol the default. +This option will be deleted before the end of 2022. .It Fl T Disable strict filename checking. By default when copying files from a remote host to a local directory @@ -290,6 +297,7 @@ debugging connection, authentication, and configuration problems. .Xr ssh-agent 1 , .Xr ssh-keygen 1 , .Xr ssh_config 5 , +.Xr sftp-server 8 , .Xr sshd 8 .Sh HISTORY .Nm diff --git a/scp.c b/scp.c index 3eda5483d..e69354369 100644 --- a/scp.c +++ b/scp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: scp.c,v 1.229 2021/08/09 23:56:36 djm Exp $ */ +/* $OpenBSD: scp.c,v 1.230 2021/08/10 03:33:34 djm Exp $ */ /* * scp - secure remote copy. This is basically patched BSD rcp which * uses ssh to do the data transfer (instead of using rcmd). @@ -448,7 +448,6 @@ main(int argc, char **argv) const char *errstr; extern char *optarg; extern int optind; - /* For now, keep SCP as default */ enum scp_mode_e mode = MODE_SCP; char *sftp_direct = NULL; @@ -482,7 +481,7 @@ main(int argc, char **argv) fflag = Tflag = tflag = 0; while ((ch = getopt(argc, argv, - "12346ABCTdfpqRrtvD:F:J:M:P:S:c:i:l:o:")) != -1) { + "12346ABCTdfOpqRrstvD:F:J:M:P:S:c:i:l:o:")) != -1) { switch (ch) { /* User-visible flags. */ case '1': @@ -517,6 +516,12 @@ main(int argc, char **argv) addargs(&args, "-%c", ch); addargs(&args, "%s", optarg); break; + case 'O': + mode = MODE_SCP; + break; + case 's': + mode = MODE_SFTP; + break; case 'P': sshport = a2port(optarg); if (sshport <= 0) @@ -526,14 +531,6 @@ main(int argc, char **argv) addargs(&remote_remote_args, "-oBatchmode=yes"); addargs(&args, "-oBatchmode=yes"); break; - case 'M': - if (strcmp(optarg, "sftp") == 0) - mode = MODE_SFTP; - else if (strcmp(optarg, "scp") == 0) - mode = MODE_SCP; - else - usage(); - break; case 'l': limit_kbps = strtonum(optarg, 1, 100 * 1024 * 1024, &errstr); @@ -1987,8 +1984,8 @@ void usage(void) { (void) fprintf(stderr, - "usage: scp [-346ABCpqRrTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n" - " [-i identity_file] [-J destination] [-l limit] [-M scp|sftp]\n" + "usage: scp [-346ABCOpqRrsTv] [-c cipher] [-D sftp_server_path] [-F ssh_config]\n" + " [-i identity_file] [-J destination] [-l limit]\n" " [-o ssh_option] [-P port] [-S program] source ... target\n"); exit(1); }