Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
kakarot
on Jan 15, 2019
|
parent
|
context
|
favorite
| on:
35-year-old vulnerability discovered in scp
Could anyone comment about whether any file-related Ansible modules use scp by default instead of sftp?
evgen
on Jan 15, 2019
[–]
I believe you need to set scp_if_ssh = True in ansible.cfg for scp to ever be used, even if sftp is not available on the remote host.
jabl
on Jan 15, 2019
|
parent
[–]
Nowadays ansible uses a sort-of 'smart' method by default, where it first tries to use sftp, and if that fails, falls back to scp. See
https://docs.ansible.com/ansible/latest/plugins/connection/s...
zurn
on Jan 15, 2019
|
root
|
parent
|
next
[–]
So if the server is compromised, it can fail the sftp in a suitable way?
But its another matter if ansible's scp client is vulnerable to this.
kakarot
on Jan 15, 2019
|
root
|
parent
|
prev
[–]
So if anyone is curious, the way to prevent this is:
scp_if_ssh = false
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
