#495795 dropbear: please provide the scp binary

Package:
src:dropbear
Source:
dropbear
Submitter:
Luca Capello
Date:
2022-03-26 09:39:03 UTC
Severity:
wishlist
Blocked By:
Bug Title
875979

  1

openssh-client: Please ship /usr/bin/scp in its own binary package

wishlist stable testing unstable almost 9 years ago

#495795#5
Date:
2008-08-20 13:42:36 UTC
From:
To:
Hello,

according to the Debian changelog [1], dropbear in Debian doesn't ship
the scp binary, which is a problem when installed on embedded devices,
like the Openmoko FreeRunner (GTA02) [2].

Is there any specific reason the scp binary is not compiled in?
Installing openssh-client requires 2MB, which can be a problem on small
flash memories.

Thx, bye,
Gismo / Luca

PS, I cc:ed the pkg-fso-maint mailing list, since this bug directly
    concerns Openmoko users :-)

Footnotes:
[1] the first and only occurrence is in version 0.48-1:
    =====
    dropbear (0.48-1) unstable; urgency=medium

      * New upstream release.
      * SECURITY: Improve handling of denial of service attempts from a single
        IP.

      * debian/implicit: update to revision 1.11.
      * new upstream release updates to scp from OpenSSH 4.3p2 - fixes a
        security issue where use of system() could cause users to execute
        arbitrary code through malformed filenames; CVE-2006-0225 (see also
        #349645); the scp binary is not provided by this package though.

#495795#10
Date:
2010-08-16 17:14:11 UTC
From:
To:
Hi,

any chance to get this fixed? It would be very helpful to
have an scp binary for an embedded system. In 2008-12 it
hasn't been included, because we were already in the
freeze for Lenny, now we are in freeze for Squeeze...

TIA

#495795#15
Date:
2012-07-24 16:52:01 UTC
From:
To:
Seconded.

Now Wheezy is frozen.  :-(

Could scp be added to Sid at least, please?

Thanks,
Jens

#495795#20
Date:
2015-06-10 09:05:34 UTC
From:
To:
Hi,

Now we have no freeze so we can now provide scp.

Thanks,
Martin

#495795#25
Date:
2015-09-18 15:09:43 UTC
From:
To:
Control: tag -1 moreinfo

Hi there,

I wonder what's the best way to close this.  dropbear and openssh-client
can currently coexist, because the SSH clients have different binary
names: /usr/bin/dbclient and /usr/bin/ssh.  We could also install
dropbear SCP binary to e.g., /usr/bin/dbscp to have a non-conflicting
SCP *client*.

However that doesn't for the *server* part, since AFAIK a remote
executable called ‘scp’ is required by the SCP protocol (and needs to be
in the remote $PATH).  So I believe the options at hands are:

  * ask the OpenSSH maintainers to consider using an alternative for
    their scp binary (and possibly ssh too), or
  * provide a new package dropbear-client to ship /usr/bin/{dbclient,scp}
    and make it conflict with openssh-client.

Any thoughts or suggestions?

Cheers,

#495795#32
Date:
2016-09-05 12:15:46 UTC
From:
To:
Hi Mr. Moulin,

I came across this report while I was trying to get Ansible working
with dropbear.

I know you've wanted to get some suggestions last year but this bug
report, which is only followed by a couple users like me who were
affected from the lack of scp, is not really the right place for
getting answer to the questions you have in your mind. My humble
suggestion is you should talk to OpenSSH maintainers on how to proceed
with it and maybe consult debian-devel for policy related questions or
best practices.

Thanks for your consideration and let's hope we'll have a more
comprehensive dropbear for stretch!

#495795#37
Date:
2017-01-25 11:49:23 UTC
From:
To:
The attached archive contains a suggestion on how scp could be added.

Winke: o/~
SvOlli

#495795#44
Date:
2017-09-16 19:15:59 UTC
From:
To:
Control: block -1 by 875979

In fact the ‘scp.c’ found in the Dropbear source package comes from
OpenSSH with minor modifications, so it makes little sense to ship a
second version the scp binary.

After discussion with upstream and the OpenSSH maintainers, we agreed on
a solution:

  1. ship OpenSSH's /usr/bin/scp in a dedicated binary package (unlike
     /usr/bin/ssh it only depends on libc6), cf. #875979;
  2. make dbclient(1) accept (as no-op) the options passed by scp(1) to
     avoid warnings: `-x -oForwardAgent=no -oPermitLocalCommand=no
     -oClearAllForwardings=yes`; and
  3. for the client part, ship a `dbscp` shell wrapper invoking scp(1)
     with dbclient(1) as SSH client.

See https://lists.debian.org/debian-ssh/2017/07/msg00019.html for
details.