Skip to content

What you need to know about the deprecation of OpenSSH SCP in RHEL 9

The deprecation of the SCP protocol in Red Hat Enterprise Linux (RHEL) 9 is one of the most critical security changes for OpenSSH.

The following are the adjustments we’ve created:

  • For file transfers, the SCP command-line tool defaults to using the SFTP protocol. 
  • The newly introduced -O option can be used to restore SCP protocol use.
  • On the system, the SCP protocol can be completely disabled. Any attempt to utilize the SCP protocol will fail if the file /etc/ssh/disable SCP exists.

We’re making this move because the SCP protocol is decades old and has several security vulnerabilities and problems for which there are no simple fixes. New flaws are disclosed often (the most recent as of this writing is CVE-2020-15778, but we can’t guarantee it will be the last), and fixing them all effectively is challenging due to the protocol’s fundamental trustworthiness of authenticated sessions.

As a result, some RHEL customers prefer to deactivate the SCP protocol entirely on their systems. Simultaneously, we have SFTP, a well-defined protocol that covers the majority of SCP’s use cases, therefore switching to the superior protocol makes sense.

Fix creation and adoption

Jakub Jelen, a Red Hatter who has maintained the OpenSSH package for numerous years and is extremely familiar with the toolkit’s internals, wrote the first patch that implemented the switch. Jelen’s fix was approved upstream with minor changes in 2021. It has now been updated with various compatibility adjustments to better match the SCP behavior and to accurately handle the corner situations that have been observed so far.

Despite the fact that upstream has put off switching to the SFTP protocol by default, we chose to make the move in RHEL 9. Because individuals who move to new major versions are more likely to predict such incompatibilities, a major release is the best time to implement such modifications.

Differences between SCP and SFTP protocols

There are significant distinctions between the SCP and SFTP protocols that we are aware of. When transferring files, the SCP program, for example, follows attached to the top but SFTP does not. This has been rectified upstream, and our product has been updated to reflect the changes. The glob pattern growth differs as well, but these incompatibilities will persist for the time being.

The extension of -based path processing is another distinction between the protocols. To deal with this expansion, OpenSSH 8.7 and subsequent versions provide a specific SFTP extension. Unfortunately, previous versions of RHEL do not support this extension, therefore transferring folders from a newer version to an older one would fail if path processing is utilized. The suggested solution in such instances is to offer absolute routes.

What should you do if this update has an impact on your system?

You have a few alternatives if this modification impacts your system. Upgrade the legacy system to a newer version of RHEL, if possible. If you can’t do that, you can use the SCP protocol, which requires the -O option to be specified explicitly.

However, if you use this option in your scripts, keep the following in mind:

  1. The SCP protocol is insecure compared to the SFTP protocol and poses some security issues (see CVE-2020-15778 as an example).
  2. It is intended to be removed in one of Red Hat Enterprise Linux’s forthcoming major editions.
  3. It won’t function if the SCP protocol is deactivated on the destination machine.

It is also conceivable and practical to use Rsync instead of SCP. For file transmission, Rsync employs its own protocol, whereas ssh is utilized for security.

 


Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.

For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com