Gotcha: SCP Returns To Prompt – OpenSSH

Standard

Background – SCP Failing

On my lab network, I have a box which will reach out to my application gateways and SCP statistics back to my reporting server. I took this idea, and applied it to an audit solution, where I would grab the config of a router/firewall/switch, and return it back to my Audit appliance. It worked great for most devices, but when I ran it against some Juniper ISG’s, it hit a brick wall, figuratively.

The Issue

The issue is the addition of double dash’s in the SCP command, which is sent to the remote device:
[bash]
# scp -v admin@10.2.4.239:ns_sys_config /backup/config/10.2.4.239.cfg
Executing: program /usr/bin/ssh host 10.2.4.239, user admin,
command scp -v -f — ns_sys_config
[/bash]

The -v is used for verbose mode, which is where the excerpt above came from. The -f is to tell the destination device to expect a filename, and the — is to tell the remote host that all switches have been communicated.

Not all SSH capable devices support the — feature, resulting in the appending it to the filename. You can correct this by patching the local host which reaches out to these non-compliant devices.

Here is some example output of the error.

Without verbosity (-v):
[bash]
# scp -v admin@10.2.4.239:ns_sys_config /backup/config/10.2.4.239.cfg
Password:
#
[/bash]

With verbosity (-v):
[bash]
# scp -v admin@10.2.4.239:ns_sys_config /backup/config/10.2.4.239.cfg
Password:

debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending command: scp -v -f — /ns_sys_config
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
Transferred: sent 2114, received 1524 bytes, in 0.1 seconds
Bytes per second: sent 22048.4, received 14831.1
debug1: Exit status 1

[/bash]

The Patch

I have updated a bug on bugs.launchpad.net for Ubuntu with a Patch and an explanation.

The patch can be directly found here.

We will walk through the steps of applying the patch and building.

Step 1 – The Source

Let’s get the source:
[bash]
wget http://filedump.se.rit.edu/pub/OpenBSD/OpenSSH/portable/openssh-5.9p1.tar.gz
tar xvzf openssh-5.9p1.tar.gz
cd openssh-5.9p1
[/bash]

Step 2 – Apply Patch

Before we do the Configure/Make and Install, we need to patch scp.h, the file which inserts the ‘–’.
[bash]
wget https://launchpadlibrarian.net/84923960/scp.patch
patch -p1 -i scp.patch
(Stripping trailing CRs from patch.)
can’t find file to patch at input line 3
Perhaps you used the wrong -p or –strip option?
The text leading up to this was:
————————–
|— scp.c 2011-01-06 06:41:21.000000000 -0500
|+++ scp.c 2011-11-11 11:49:39.133830178 -0500
————————–
File to patch:
[/bash]

When it asks you for File to patch, enter ‘scp.c’. Hit enter.

Step 3 – Configure/Make/Install

I installed mine at /usr/local/openssh. You can change your prefix to wherever you want.
[bash]
./configure –prefix=/usr/local/openssh –bindir=/usr/bin –with-ssl-engine \
–with-ssl-dir=/usr –with-md5-passwords –with-bsd-auth
make
sudo make install
[/bash]

After that, you should be all set! SCP away!

Enjoy!