The deprecation of the SCP protocol in Red Hat Enterprise Linux (RHEL) 9 is one of the most critical security changes for OpenSSH.
The following are the adjustments we’ve created:
We’re making this move because the SCP protocol is decades old and has several security vulnerabilities and problems for which there are no simple fixes. New flaws are disclosed often (the most recent as of this writing is CVE-2020-15778, but we can’t guarantee it will be the last), and fixing them all effectively is challenging due to the protocol’s fundamental trustworthiness of authenticated sessions.
As a result, some RHEL customers prefer to deactivate the SCP protocol entirely on their systems. Simultaneously, we have SFTP, a well-defined protocol that covers the majority of SCP’s use cases, therefore switching to the superior protocol makes sense.
Jakub Jelen, a Red Hatter who has maintained the OpenSSH package for numerous years and is extremely familiar with the toolkit’s internals, wrote the first patch that implemented the switch. Jelen’s fix was approved upstream with minor changes in 2021. It has now been updated with various compatibility adjustments to better match the SCP behavior and to accurately handle the corner situations that have been observed so far.
Despite the fact that upstream has put off switching to the SFTP protocol by default, we chose to make the move in RHEL 9. Because individuals who move to new major versions are more likely to predict such incompatibilities, a major release is the best time to implement such modifications.
There are significant distinctions between the SCP and SFTP protocols that we are aware of. When transferring files, the SCP program, for example, follows attached to the top but SFTP does not. This has been rectified upstream, and our product has been updated to reflect the changes. The glob pattern growth differs as well, but these incompatibilities will persist for the time being.
The extension of -based path processing is another distinction between the protocols. To deal with this expansion, OpenSSH 8.7 and subsequent versions provide a specific SFTP extension. Unfortunately, previous versions of RHEL do not support this extension, therefore transferring folders from a newer version to an older one would fail if path processing is utilized. The suggested solution in such instances is to offer absolute routes.
You have a few alternatives if this modification impacts your system. Upgrade the legacy system to a newer version of RHEL, if possible. If you can’t do that, you can use the SCP protocol, which requires the -O option to be specified explicitly.
However, if you use this option in your scripts, keep the following in mind:
It is also conceivable and practical to use Rsync instead of SCP. For file transmission, Rsync employs its own protocol, whereas ssh is utilized for security.
Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.
For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com