On Mon, 16 May 2022 07:44:26 -0400 Stefano Rivera <stefa...@debian.org> wrote:
> Now that openssh 1:9.0p1-1 uses the SFTP protocol by default, uploads to
> services using scp are broken.
Note that not all uploads are broken. They are broken when the server side
has a forced command that is expecting scp usage. I have this for example:
----
#!/bin/sh
case "$SSH_ORIGINAL_COMMAND" in
scp\ *)
exec scp -p -d -t /srv/deb.freexian.com/extended-lts/incoming
;;
chmod\ *)
find /srv/deb.freexian.com/extended-lts/incoming -user
$(whoami) -type f | xargs --no-run-if-empty chmod 0644
exit 0
;;
*)
echo "ERROR: Forbidden command: $SSH_ORIGINAL_COMMAND"
echo "This SSH access can only be used to upload Debian
packages."
exit 1
;;
esac
----
But without the "-O" option, scp will now call /usr/lib/sftp-server and
the case will match the third case generating unexpected noise for the
SFTP protocol.
There's no good way to tweak that script to force sftp-server to be
restricted to a specific directory.
So either you switch to always "sftp" and do some other setup to restrict
sftp (with the Chroot directive), or you switch to "always plain scp"
by passing -O when you call scp.
Cheers,
--
Raphaƫl Hertzog
