Debian Bug report logs - #495795
dropbear: please provide the scp binary

version graph

Package: src:dropbear; Maintainer for src:dropbear is Guilhem Moulin <[email protected]>;

Reported by: Luca Capello <[email protected]>

Date: Wed, 20 Aug 2008 13:45:02 UTC

Severity: wishlist

Found in version dropbear/0.51-1

Fix blocked by 875979: openssh-client: Please ship /usr/bin/scp in its own binary package

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to [email protected], Luca Capello <[email protected]>, "ML Debian FreeSmartphone.Org Team" <[email protected]>, Gerrit Pape <[email protected]>:
Bug#495795; Package dropbear. (full text, mbox, link).

Acknowledgement sent to Luca Capello <[email protected]>:
New Bug report received and forwarded. Copy sent to Luca Capello <[email protected]>, "ML Debian FreeSmartphone.Org Team" <[email protected]>, Gerrit Pape <[email protected]>. (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

From: Luca Capello <[email protected]>
To: Debian Bug Tracking System <[email protected]>
Subject: dropbear: please provide the scp binary
Date: Wed, 20 Aug 2008 15:42:36 +0200
[Message part 1 (text/plain, inline)]
Package: dropbear
Version: 0.51-1
Severity: wishlist

Hello,

according to the Debian changelog [1], dropbear in Debian doesn't ship
the scp binary, which is a problem when installed on embedded devices,
like the Openmoko FreeRunner (GTA02) [2].

Is there any specific reason the scp binary is not compiled in?
Installing openssh-client requires 2MB, which can be a problem on small
flash memories.

Thx, bye,
Gismo / Luca

PS, I cc:ed the pkg-fso-maint mailing list, since this bug directly
    concerns Openmoko users :-)

Footnotes: 
[1] the first and only occurrence is in version 0.48-1:
    =====
    dropbear (0.48-1) unstable; urgency=medium

      * New upstream release.
      * SECURITY: Improve handling of denial of service attempts from a single
        IP.

      * debian/implicit: update to revision 1.11.
      * new upstream release updates to scp from OpenSSH 4.3p2 - fixes a
        security issue where use of system() could cause users to execute
        arbitrary code through malformed filenames; CVE-2006-0225 (see also
        #349645); the scp binary is not provided by this package though.

     -- Gerrit Pape <[email protected]>  Fri, 10 Mar 2006 22:00:32 +0000
    =====
[2] http://lists.alioth.debian.org/pipermail/pkg-fso-maint/2008-August/000006.html

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: armel (armv4tl)

Kernel: Linux 2.6.24 (PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages dropbear depends on:
ii  libc6                  2.7-13            GNU C Library: Shared libraries
ii  libgcc1                1:4.3.1-9         GCC support library
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

dropbear recommends no packages.

Versions of packages dropbear suggests:
pn  openssh-client                <none>     (no description available)
pn  runit                         <none>     (no description available)

-- no debconf information

[Message part 2 (application/pgp-signature, inline)]

Information forwarded to [email protected], Gerrit Pape <[email protected]>:
Bug#495795; Package dropbear. (Mon, 16 Aug 2010 17:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to "W. Martin Borgert" <[email protected]>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <[email protected]>. (Mon, 16 Aug 2010 17:15:03 GMT) (full text, mbox, link).

Message #10 received at [email protected] (full text, mbox, reply):

From: "W. Martin Borgert" <[email protected]>
To: [email protected]
Cc: [email protected], [email protected]
Subject: dropbear: please provide the scp binary
Date: Mon, 16 Aug 2010 19:14:11 +0200
Hi,

any chance to get this fixed? It would be very helpful to
have an scp binary for an embedded system. In 2008-12 it
hasn't been included, because we were already in the
freeze for Lenny, now we are in freeze for Squeeze...

TIA

Information forwarded to [email protected], Gerrit Pape <[email protected]>:
Bug#495795; Package dropbear. (Tue, 24 Jul 2012 17:06:03 GMT) (full text, mbox, link).

Acknowledgement sent to Jens Rottmann <[email protected]>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <[email protected]>. (Tue, 24 Jul 2012 17:06:03 GMT) (full text, mbox, link).

Message #15 received at [email protected] (full text, mbox, reply):

From: Jens Rottmann <[email protected]>
To: [email protected]
Subject: dropbear: please provide the scp binary
Date: Tue, 24 Jul 2012 18:52:01 +0200
Seconded.

Now Wheezy is frozen.  :-(

Could scp be added to Sid at least, please?

Thanks,
Jens

Information forwarded to [email protected], Gerrit Pape <[email protected]>:
Bug#495795; Package dropbear. (Wed, 10 Jun 2015 09:15:07 GMT) (full text, mbox, link).

Acknowledgement sent to Martin89 <[email protected]>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <[email protected]>. (Wed, 10 Jun 2015 09:15:07 GMT) (full text, mbox, link).

Message #20 received at [email protected] (full text, mbox, reply):

From: Martin89 <[email protected]>
To: [email protected]
Subject: dropbear: please provide the scp binary
Date: Wed, 10 Jun 2015 11:05:34 +0200
[Message part 1 (text/plain, inline)]
Hi,

Now we have no freeze so we can now provide scp.

Thanks,
Martin


[signature.asc (application/pgp-signature, attachment)]

Information forwarded to [email protected], Gerrit Pape <[email protected]>:
Bug#495795; Package dropbear. (Fri, 18 Sep 2015 15:12:03 GMT) (full text, mbox, link).

Acknowledgement sent to Guilhem Moulin <[email protected]>:
Extra info received and forwarded to list. Copy sent to Gerrit Pape <[email protected]>. (Fri, 18 Sep 2015 15:12:03 GMT) (full text, mbox, link).

Message #25 received at [email protected] (full text, mbox, reply):

From: Guilhem Moulin <[email protected]>
To: [email protected]
Subject: Re: dropbear: please provide the scp binary
Date: Fri, 18 Sep 2015 17:09:43 +0200
[Message part 1 (text/plain, inline)]
Control: tag -1 moreinfo

Hi there,

I wonder what's the best way to close this.  dropbear and openssh-client
can currently coexist, because the SSH clients have different binary
names: /usr/bin/dbclient and /usr/bin/ssh.  We could also install
dropbear SCP binary to e.g., /usr/bin/dbscp to have a non-conflicting
SCP *client*.

However that doesn't for the *server* part, since AFAIK a remote
executable called ‘scp’ is required by the SCP protocol (and needs to be
in the remote $PATH).  So I believe the options at hands are:

  * ask the OpenSSH maintainers to consider using an alternative for
    their scp binary (and possibly ssh too), or
  * provide a new package dropbear-client to ship /usr/bin/{dbclient,scp}
    and make it conflict with openssh-client.

Any thoughts or suggestions?

Cheers,
-- 
Guilhem.

[signature.asc (application/pgp-signature, inline)]

Added tag(s) moreinfo. Request was from Guilhem Moulin <[email protected]> to [email protected]. (Fri, 18 Sep 2015 15:12:03 GMT) (full text, mbox, link).

Information forwarded to [email protected], Guilhem Moulin <[email protected]>:
Bug#495795; Package dropbear. (Mon, 05 Sep 2016 12:21:25 GMT) (full text, mbox, link).

Acknowledgement sent to Mert Dirik <[email protected]>:
Extra info received and forwarded to list. Copy sent to Guilhem Moulin <[email protected]>. (Mon, 05 Sep 2016 12:21:25 GMT) (full text, mbox, link).

Message #32 received at [email protected] (full text, mbox, reply):

From: Mert Dirik <[email protected]>
To: [email protected]
Subject: Re: dropbear: please provide the scp binary
Date: Mon, 5 Sep 2016 15:15:46 +0300
On Fri, 18 Sep 2015 17:09:43 +0200 Guilhem Moulin <[email protected]> wrote:
> Control: tag -1 moreinfo
>
> Hi there,
>
> I wonder what's the best way to close this.  dropbear and openssh-client
> can currently coexist, because the SSH clients have different binary
> names: /usr/bin/dbclient and /usr/bin/ssh.  We could also install
> dropbear SCP binary to e.g., /usr/bin/dbscp to have a non-conflicting
> SCP *client*.
>
> However that doesn't for the *server* part, since AFAIK a remote
> executable called ‘scp’ is required by the SCP protocol (and needs to be
> in the remote $PATH).  So I believe the options at hands are:
>
>   * ask the OpenSSH maintainers to consider using an alternative for
>     their scp binary (and possibly ssh too), or
>   * provide a new package dropbear-client to ship /usr/bin/{dbclient,scp}
>     and make it conflict with openssh-client.
>
> Any thoughts or suggestions?
>

Hi Mr. Moulin,

I came across this report while I was trying to get Ansible working
with dropbear.

I know you've wanted to get some suggestions last year but this bug
report, which is only followed by a couple users like me who were
affected from the lack of scp, is not really the right place for
getting answer to the questions you have in your mind. My humble
suggestion is you should talk to OpenSSH maintainers on how to proceed
with it and maybe consult debian-devel for policy related questions or
best practices.

Thanks for your consideration and let's hope we'll have a more
comprehensive dropbear for stretch!

Information forwarded to [email protected], Guilhem Moulin <[email protected]>:
Bug#495795; Package dropbear. (Wed, 25 Jan 2017 12:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Sven Oliver Moll <[email protected]>:
Extra info received and forwarded to list. Copy sent to Guilhem Moulin <[email protected]>. (Wed, 25 Jan 2017 12:27:03 GMT) (full text, mbox, link).

Message #37 received at [email protected] (full text, mbox, reply):

From: Sven Oliver Moll <[email protected]>
To: [email protected]
Subject: Suggested fix
Date: Wed, 25 Jan 2017 12:49:23 +0100 (CET)
[Message part 1 (text/plain, inline)]
The attached archive contains a suggestion on how scp could be added.

Winke: o/~
SvOlli
-- 
|  _______       |
| (  /\          | Such Dir 'nen Baum begiesse ihn
|__)v\/lli a.k.a.| und schau den Voegeln nach, die nach Sueden ziehn.
|Sven Oliver Moll|   -- Stoppok, "Happy End"
[dropbear_2016.74-2.1.debian.tar.xz (application/x-xz, attachment)]

Removed tag(s) moreinfo. Request was from Guilhem Moulin <[email protected]> to [email protected]. (Sat, 16 Sep 2017 19:21:03 GMT) (full text, mbox, link).

Information forwarded to [email protected]:
Bug#495795; Package dropbear. (Sat, 16 Sep 2017 19:24:05 GMT) (full text, mbox, link).

Acknowledgement sent to Guilhem Moulin <[email protected]>:
Extra info received and forwarded to list. (Sat, 16 Sep 2017 19:24:05 GMT) (full text, mbox, link).

Message #44 received at [email protected] (full text, mbox, reply):

From: Guilhem Moulin <[email protected]>
To: [email protected]
Subject: Re: Bug#495795: dropbear: please provide the scp binary
Date: Sat, 16 Sep 2017 21:15:59 +0200
[Message part 1 (text/plain, inline)]
Control: block -1 by 875979

On Mon, 05 Sep 2016 at 15:15:46 +0300, Mert Dirik wrote:
> I know you've wanted to get some suggestions last year but this bug
> report, which is only followed by a couple users like me who were
> affected from the lack of scp, is not really the right place for
> getting answer to the questions you have in your mind. My humble
> suggestion is you should talk to OpenSSH maintainers on how to proceed
> with it and maybe consult debian-devel for policy related questions or
> best practices.

In fact the ‘scp.c’ found in the Dropbear source package comes from
OpenSSH with minor modifications, so it makes little sense to ship a
second version the scp binary.

After discussion with upstream and the OpenSSH maintainers, we agreed on
a solution:

  1. ship OpenSSH's /usr/bin/scp in a dedicated binary package (unlike
     /usr/bin/ssh it only depends on libc6), cf. #875979;
  2. make dbclient(1) accept (as no-op) the options passed by scp(1) to
     avoid warnings: `-x -oForwardAgent=no -oPermitLocalCommand=no
     -oClearAllForwardings=yes`; and
  3. for the client part, ship a `dbscp` shell wrapper invoking scp(1)
     with dbclient(1) as SSH client.

See https://lists.debian.org/debian-ssh/2017/07/msg00019.html for
details.

-- 
Guilhem.

[signature.asc (application/pgp-signature, inline)]

Added blocking bug(s) of 495795: 875979 Request was from Guilhem Moulin <[email protected]> to [email protected]. (Sat, 16 Sep 2017 19:24:05 GMT) (full text, mbox, link).

Bug reassigned from package 'dropbear' to 'src:dropbear'. Request was from Guilhem Moulin <[email protected]> to [email protected]. (Sat, 26 Mar 2022 09:39:02 GMT) (full text, mbox, link).

No longer marked as found in versions dropbear/0.51-1. Request was from Guilhem Moulin <[email protected]> to [email protected]. (Sat, 26 Mar 2022 09:39:02 GMT) (full text, mbox, link).

Marked as found in versions dropbear/0.51-1. Request was from Guilhem Moulin <[email protected]> to [email protected]. (Sat, 26 Mar 2022 09:39:03 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 13:36:36 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.