- Package:
- src:dropbear
- Source:
- dropbear
- Submitter:
- Luca Capello
- Date:
- 2022-03-26 09:39:03 UTC
- Severity:
- wishlist
- Blocked By:
-
Bug Title 875979 1
openssh-client: Please ship /usr/bin/scp in its own binary package wishlist stable testing unstable almost 9 years ago
Hello,
according to the Debian changelog [1], dropbear in Debian doesn't ship
the scp binary, which is a problem when installed on embedded devices,
like the Openmoko FreeRunner (GTA02) [2].
Is there any specific reason the scp binary is not compiled in?
Installing openssh-client requires 2MB, which can be a problem on small
flash memories.
Thx, bye,
Gismo / Luca
PS, I cc:ed the pkg-fso-maint mailing list, since this bug directly
concerns Openmoko users :-)
Footnotes:
[1] the first and only occurrence is in version 0.48-1:
=====
dropbear (0.48-1) unstable; urgency=medium
* New upstream release.
* SECURITY: Improve handling of denial of service attempts from a single
IP.
* debian/implicit: update to revision 1.11.
* new upstream release updates to scp from OpenSSH 4.3p2 - fixes a
security issue where use of system() could cause users to execute
arbitrary code through malformed filenames; CVE-2006-0225 (see also
#349645); the scp binary is not provided by this package though.
Hi, any chance to get this fixed? It would be very helpful to have an scp binary for an embedded system. In 2008-12 it hasn't been included, because we were already in the freeze for Lenny, now we are in freeze for Squeeze... TIA
Seconded. Now Wheezy is frozen. :-( Could scp be added to Sid at least, please? Thanks, Jens
Hi, Now we have no freeze so we can now provide scp. Thanks, Martin
Control: tag -1 moreinfo
Hi there,
I wonder what's the best way to close this. dropbear and openssh-client
can currently coexist, because the SSH clients have different binary
names: /usr/bin/dbclient and /usr/bin/ssh. We could also install
dropbear SCP binary to e.g., /usr/bin/dbscp to have a non-conflicting
SCP *client*.
However that doesn't for the *server* part, since AFAIK a remote
executable called ‘scp’ is required by the SCP protocol (and needs to be
in the remote $PATH). So I believe the options at hands are:
* ask the OpenSSH maintainers to consider using an alternative for
their scp binary (and possibly ssh too), or
* provide a new package dropbear-client to ship /usr/bin/{dbclient,scp}
and make it conflict with openssh-client.
Any thoughts or suggestions?
Cheers,
Hi Mr. Moulin, I came across this report while I was trying to get Ansible working with dropbear. I know you've wanted to get some suggestions last year but this bug report, which is only followed by a couple users like me who were affected from the lack of scp, is not really the right place for getting answer to the questions you have in your mind. My humble suggestion is you should talk to OpenSSH maintainers on how to proceed with it and maybe consult debian-devel for policy related questions or best practices. Thanks for your consideration and let's hope we'll have a more comprehensive dropbear for stretch!
The attached archive contains a suggestion on how scp could be added. Winke: o/~ SvOlli
Control: block -1 by 875979
In fact the ‘scp.c’ found in the Dropbear source package comes from
OpenSSH with minor modifications, so it makes little sense to ship a
second version the scp binary.
After discussion with upstream and the OpenSSH maintainers, we agreed on
a solution:
1. ship OpenSSH's /usr/bin/scp in a dedicated binary package (unlike
/usr/bin/ssh it only depends on libc6), cf. #875979;
2. make dbclient(1) accept (as no-op) the options passed by scp(1) to
avoid warnings: `-x -oForwardAgent=no -oPermitLocalCommand=no
-oClearAllForwardings=yes`; and
3. for the client part, ship a `dbscp` shell wrapper invoking scp(1)
with dbclient(1) as SSH client.
See https://lists.debian.org/debian-ssh/2017/07/msg00019.html for
details.