If an user try to run scp with two remote ends using password authentication, the second attempt fails: $ scp -v -o PreferredAuthentications=password host-1:/tmp/a host-2:/tmp/ Executing: /usr/bin/ssh -x -oClearAllForwardings=yes -n -v -o PreferredAuthentications=password -- host-1 scp -v /tmp/a host-2:/tmp/ ... plautrba@host-1's password: debug1: Authentication succeeded (password). Authenticated to host-1 ([127.0.0.1]:22). ... Executing: program /usr/bin/ssh host host-2, user (unspecified), command scp -v -t /tmp/ ... debug1: Next authentication method: password debug1: read_passphrase: can't open /dev/tty: No such device or address debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. The problem is in scp.c: toremote() which always uses "-n" for standard remote to remote. Consequently, stdin is redirected to /dev/null and a remote ssh can't ask for another password. As a fix I'd propose to use the patch from RHEL: --- a/scp.c +++ b/scp.c @@ -638,7 +638,10 @@ toremote(char *targ, int argc, char **argv) addargs(&alist, "%s", ssh_program); addargs(&alist, "-x"); addargs(&alist, "-oClearAllForwardings=yes"); - addargs(&alist, "-n"); + if (isatty(fileno(stdin))) + addargs(&alist, "-t"); + else + addargs(&alist, "-n");
It's probably somehow related to reopened https://bugzilla.mindrot.org/show_bug.cgi?id=1837
ping Do you have any opinion on this?
Specifying -t may make the channel running scp no longer 8 bit clean. scp now supports the -3 option for remote to remote transfers. AFAIK it solves this problem
closing resolved bugs as of 8.6p1 release