| Summary: | scp fails key auth/connection on second host when two remote paths are specified | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | petiepooo <petiepooo> | ||||||||
| Component: | scp | Assignee: | Assigned to nobody <unassigned-bugs> | ||||||||
| Status: | CLOSED FIXED | ||||||||||
| Severity: | enhancement | CC: | djm, dtucker, nyh | ||||||||
| Priority: | P4 | ||||||||||
| Version: | 5.3p1 | ||||||||||
| Hardware: | All | ||||||||||
| OS: | All | ||||||||||
| Attachments: |
|
||||||||||
|
Description
petiepooo@yahoo.com
2010-11-10 08:20:16 AEDT
I agree that the current behavior when two remote hosts are specified is unexpected, illogical, and should be considered a bug. The "scp" manual page says that "Copies between two remote hosts are also permitted.". This is not quite the case - and if the current behavior remains (and I think it shouldn't...), it should at least be explained. The reason I think the current behavior is NOT useful, is that on today's internet, security is rarely symmetrical: The fact that host A can ssh to host B and to host C, doesn't mean that B and C can ssh back to A, or ssh between themselves. So when I do on host A 'scp B:... C:...', I certainly don't expect B and C to communicate directly - if I wanted to do that I would have written "ssh B -c scp ... C:". When I go and run 'scp B:... C:...' on A, I fully expect all the data to pass through A. scp B:... C:... could have been very useful when I want to transfer a large remote file between B and C, without keeping a copy on A and when B and C cannot communicate directly (because of routing or authentication issues). Created attachment 1963 [details]
openssh-scp-remotetoremote.patch
Only set ForwardAgent=no for local-to-remote and remote-to-local cases.
Comment on attachment 1963 [details]
openssh-scp-remotetoremote.patch
Ignore that patch, it's rubbish. On further investigation there's some more work required. In the mean time if you want a workaround, try adding:
Host yourhost
ForwardAgent yes
to your ~/.ssh/config file and see if that helps
Created attachment 1966 [details]
/home/djm/scp-propagate-opts.diff
propogate commandline options on remote-remote copies
Yes, we agree that this behaviour is stupid. Unfortunately, scp just rcp, which is 27 years old and is widely understood to behave exactly as it does. If we change it then we will break users' expectations and scripts. We aren't really interested in extending scp either. It implements no backwards compatibility mechanisms and the code is unpleasant to work on. That being said, the current behaviour of scp is broken in that it doesn't propagate options from the commandline to the ssh command used to invoke the remote-remote copy. This stops a user from manually specifying that they want to forward their agent on the commandline (doing it in the config file already works ok). The patch I just attached fixes this. Comment on attachment 1966 [details] /home/djm/scp-propagate-opts.diff >+ addargs(&remote_remote_args, "-oBatchmode yes"); > addargs(&args, "-oBatchmode yes"); Is that going to work? I would expect it to get parsed as 2 args by the remote shell and broken into '-oBatchmode' and 'yes' then have ssh choke on a missing arg to BatchMode. easy fix: s/ /=/ Created attachment 1968 [details]
/home/djm/scp-propagate-opts.diff
revised patch
Patch applied, but as I mentioned we can't/won't make further alterations to scp. Markus reminds me that we can open two connections (to source and destination host) without requiring any protocol changes, so the only thing to overcome here is the code smell. The -3 option to establish connections to both source and destination from the local host was added back in openssh-5.7. Close all resolved bugs after 7.3p1 release |