Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Could anyone comment about whether any file-related Ansible modules use scp by default instead of sftp?


I believe you need to set scp_if_ssh = True in ansible.cfg for scp to ever be used, even if sftp is not available on the remote host.


Nowadays ansible uses a sort-of 'smart' method by default, where it first tries to use sftp, and if that fails, falls back to scp. See https://docs.ansible.com/ansible/latest/plugins/connection/s...


So if the server is compromised, it can fail the sftp in a suitable way?

But its another matter if ansible's scp client is vulnerable to this.


So if anyone is curious, the way to prevent this is:

scp_if_ssh = false




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: