info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1011063: scp: Received message too long 1163022927
77 views
Skip to first unread message
Stefano Rivera
May 16, 2022, 7:50:04 AM5/16/22
to
Package: dput-ng
Version: 1.34
Severity: normal
Tags: upstream
Now that openssh 1:9.0p1-1 uses the SFTP protocol by default, uploads to
services using scp are broken.
e.g.
$ dput extended-lts openssl_1.0.1t-1+deb8u18_source.changes
Uploading openssl using scp to extended-lts (host: deb.freexian.com; directory: /does-not/matter)
running allowed-distribution: check whether a local profile permits uploads to the target distribution
running checksum: verify checksums before uploading
running suite-mismatch: check the target distribution for common errors
running gpg: check GnuPG signatures before the upload
SCP is deprecated. Please consider upgrading to SFTP.
Uploading openssl_1.0.1t-1+deb8u18.dsc
Failed to upload openssl_1.0.1t-1+deb8u18.dsc to extend...@deb.freexian.com:/does-not/matter/openssl_1.0.1t-1+deb8u18.dsc: scp: Received message too long 1163022927
scp: Ensure the remote shell produces no output for non-interactive sessions.
The server-side here has a forced command that inspects
$SSH_ORIGINAL_COMMAND and execs scp, when appropriate.
The solution here is to *force* the use of the scp, when communicating
with an scp host. This can be accomplished with a "-O" flag.
SR
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages dput-ng depends on:
ii python3 3.10.4-1+b1
ii python3-dput 1.34
dput-ng recommends no packages.
Versions of packages dput-ng suggests:
pn dput-ng-doc <none>
pn python3-twitter <none>
-- no debconf information
Version: 1.34
Severity: normal
Tags: upstream
Now that openssh 1:9.0p1-1 uses the SFTP protocol by default, uploads to
services using scp are broken.
e.g.
$ dput extended-lts openssl_1.0.1t-1+deb8u18_source.changes
Uploading openssl using scp to extended-lts (host: deb.freexian.com; directory: /does-not/matter)
running allowed-distribution: check whether a local profile permits uploads to the target distribution
running checksum: verify checksums before uploading
running suite-mismatch: check the target distribution for common errors
running gpg: check GnuPG signatures before the upload
SCP is deprecated. Please consider upgrading to SFTP.
Uploading openssl_1.0.1t-1+deb8u18.dsc
Failed to upload openssl_1.0.1t-1+deb8u18.dsc to extend...@deb.freexian.com:/does-not/matter/openssl_1.0.1t-1+deb8u18.dsc: scp: Received message too long 1163022927
scp: Ensure the remote shell produces no output for non-interactive sessions.
The server-side here has a forced command that inspects
$SSH_ORIGINAL_COMMAND and execs scp, when appropriate.
The solution here is to *force* the use of the scp, when communicating
with an scp host. This can be accomplished with a "-O" flag.
SR
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.17.0-1-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages dput-ng depends on:
ii python3 3.10.4-1+b1
ii python3-dput 1.34
dput-ng recommends no packages.
Versions of packages dput-ng suggests:
pn dput-ng-doc <none>
pn python3-twitter <none>
-- no debconf information
stef...@debian.org
May 16, 2022, 8:00:03 AM5/16/22
to
Control: tag -1 + patch
https://salsa.debian.org/debian/dput-ng/-/merge_requests/20
SR
--
Stefano Rivera
http://tumbleweed.org.za/
+1 415 683 3272
https://salsa.debian.org/debian/dput-ng/-/merge_requests/20
SR
--
Stefano Rivera
http://tumbleweed.org.za/
+1 415 683 3272
Raphael Hertzog
May 19, 2022, 1:20:04 PM5/19/22
to
On Mon, 16 May 2022 07:44:26 -0400 Stefano Rivera <stef...@debian.org> wrote:
> Now that openssh 1:9.0p1-1 uses the SFTP protocol by default, uploads to
> services using scp are broken.
Note that not all uploads are broken. They are broken when the server side
> Now that openssh 1:9.0p1-1 uses the SFTP protocol by default, uploads to
> services using scp are broken.
has a forced command that is expecting scp usage. I have this for example:
----
#!/bin/sh
case "$SSH_ORIGINAL_COMMAND" in
scp\ *)
exec scp -p -d -t /srv/deb.freexian.com/extended-lts/incoming
;;
chmod\ *)
find /srv/deb.freexian.com/extended-lts/incoming -user $(whoami) -type f | xargs --no-run-if-empty chmod 0644
exit 0
;;
*)
echo "ERROR: Forbidden command: $SSH_ORIGINAL_COMMAND"
echo "This SSH access can only be used to upload Debian packages."
exit 1
;;
esac
----
But without the "-O" option, scp will now call /usr/lib/sftp-server and
the case will match the third case generating unexpected noise for the
SFTP protocol.
There's no good way to tweak that script to force sftp-server to be
restricted to a specific directory.
So either you switch to always "sftp" and do some other setup to restrict
sftp (with the Chroot directive), or you switch to "always plain scp"
by passing -O when you call scp.
Cheers,
--
Raphaël Hertzog
0 new messages