Bug#1011063: scp: Received message too long 1163022927

2022-05-19 Thread Raphael Hertzog 
On Mon, 16 May 2022 07:44:26 -0400 Stefano Rivera  wrote:
> Now that openssh 1:9.0p1-1 uses the SFTP protocol by default, uploads to
> services using scp are broken.

Note that not all uploads are broken. They are broken when the server side
has a forced command that is expecting scp usage. I have this for example:


#!/bin/sh

case "$SSH_ORIGINAL_COMMAND" in
scp\ *)
exec scp -p -d -t /srv/deb.freexian.com/extended-lts/incoming
;;
chmod\ *)
find /srv/deb.freexian.com/extended-lts/incoming -user 
$(whoami) -type f | xargs --no-run-if-empty chmod 0644
exit 0
;;
*)
echo "ERROR: Forbidden command: $SSH_ORIGINAL_COMMAND"
echo "This SSH access can only be used to upload Debian 
packages."
exit 1
;;
esac


But without the "-O" option, scp will now call /usr/lib/sftp-server and
the case will match the third case generating unexpected noise for the
SFTP protocol.

There's no good way to tweak that script to force sftp-server to be
restricted to a specific directory.

So either you switch to always "sftp" and do some other setup to restrict
sftp (with the Chroot directive), or you switch to "always plain scp"
by passing -O when you call scp.

Cheers,
-- 
Raphaƫl Hertzog

Bug#1011063: scp: Received message too long 1163022927

2022-05-16 Thread stefanor 
Control: tag -1 + patch

https://salsa.debian.org/debian/dput-ng/-/merge_requests/20

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Bug#1011063: scp: Received message too long 1163022927

2022-05-16 Thread Stefano Rivera 
Package: dput-ng
Version: 1.34
Severity: normal
Tags: upstream

Now that openssh 1:9.0p1-1 uses the SFTP protocol by default, uploads to
services using scp are broken.

e.g.
$ dput extended-lts openssl_1.0.1t-1+deb8u18_source.changes
Uploading openssl using scp to extended-lts (host: deb.freexian.com; directory: 
/does-not/matter)
running allowed-distribution: check whether a local profile permits uploads to 
the target distribution
running checksum: verify checksums before uploading
running suite-mismatch: check the target distribution for common errors
running gpg: check GnuPG signatures before the upload
SCP is deprecated. Please consider upgrading to SFTP.
Uploading openssl_1.0.1t-1+deb8u18.dsc
Failed to upload openssl_1.0.1t-1+deb8u18.dsc to 
extended-...@deb.freexian.com:/does-not/matter/openssl_1.0.1t-1+deb8u18.dsc: 
scp: Received message too long 1163022927
scp: Ensure the remote shell produces no output for non-interactive sessions.

The server-side here has a forced command that inspects
$SSH_ORIGINAL_COMMAND and execs scp, when appropriate.

The solution here is to *force* the use of the scp, when communicating
with an scp host. This can be accomplished with a "-O" flag.

SR

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dput-ng depends on:
ii  python3   3.10.4-1+b1
ii  python3-dput  1.34

dput-ng recommends no packages.

Versions of packages dput-ng suggests:
pn  dput-ng-doc  
pn  python3-twitter  

-- no debconf information