Bug#222992: marked as done (ssh: scp between two remote hosts only works with forwarded public-key auth)

To: Colin Watson <cjwatson@debian.org>
Subject: Bug#222992: marked as done (ssh: scp between two remote hosts only works with forwarded public-key auth)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sun, 07 Jun 2020 09:45:05 +0000
Message-id: <[🔎] handler.222992.D222992.159152287531867.ackdone@bugs.debian.org>
Reply-to: 222992@bugs.debian.org
References: <20200607094103.GA6138@riva.ucam.org> <20031205150450.5925.qmail@ozonio.matriz.oktiva.com.br>

Your message dated Sun, 7 Jun 2020 10:41:03 +0100
with message-id <20200607094103.GA6138@riva.ucam.org>
and subject line Re: Bug#222992: ssh: scp host1:file host2:. don't ask password for host2
has caused the Debian Bug report #222992,
regarding ssh: scp between two remote hosts only works with forwarded public-key auth
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
222992: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=222992
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ssh: scp host1:file host2:. don't ask password for host2
From: Itamar Almeida de Carvalho <itamar@oktiva.com.br>
Date: Fri, 05 Dec 2003 12:04:50 -0300
Message-id: <20031205150450.5925.qmail@ozonio.matriz.oktiva.com.br>

Package: ssh
Version: 1:3.6.1p2-10
Severity: normal

When I try to copy a file with scp from a remote host to another remote
host, it don't ask for password for the second one and fails
authenticatioI.  If I copy from the first remote host to the local host 
and then from the local to the second remote, it works well.

Following the trace first without using "-v" option (for clarity), then
using it (for security, I changed the full host name to
host2-full-address.com.br and the ip to 10.0.0.1 - it was a valid
Internet address):

[itamar@horizon:~] scp ozonio:MinhaPagina.txt host2-full-address.com.br:.
itamar@ozonio's password: 
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password,keyboard-interactive).
lost connection
[itamar@horizon:~] scp ozonio:MinhaPagina.txt .
itamar@ozonio's password: 
MinhaPagina.txt
100%  360    12.3KB/s   00:00    
[itamar@horizon:~] scp MinhaPagina.txt host2-full-address.com.br:.
itamar@host2-full-address.com.br's password: 
MinhaPagina.txt
100%  360   968.4KB/s   00:00    


[itamar@horizon:~] scp -v ozonio:MinhaPagina.txt host2-full-address.com.br:.
Executing: exec /usr/bin/ssh -v -x -o'ClearAllForwardings yes' -n ozonio
scp -v MinhaPagina.txt 'host2-full-address.com.br:.'
OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10, SSH protocols 1.5/2.0, OpenSSL
0x0090703f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: Connecting to ozonio [192.168.166.10] port 22.
debug1: Connection established.
debug1: identity file /home/itamar/.ssh/identity type -1
debug1: identity file /home/itamar/.ssh/id_rsa type -1
debug1: identity file /home/itamar/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10
debug1: match: OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'ozonio' is known and matches the RSA host key.
debug1: Found key in /home/itamar/.ssh/known_hosts:13
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/itamar/.ssh/identity
debug1: Trying private key: /home/itamar/.ssh/id_rsa
debug1: Trying private key: /home/itamar/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: password
itamar@ozonio's password: 
debug1: Authentication succeeded (password).
debug1: fd 4 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending command: scp -v MinhaPagina.txt host2-full-address.com.br:.
debug1: channel 0: request exec
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug1: channel 0: read<=0 rfd 4 len 0
debug1: channel 0: read failed
debug1: channel 0: close_read
debug1: channel 0: input open -> drain
debug1: channel 0: ibuf empty
debug1: channel 0: send eof
debug1: channel 0: input drain -> closed
Executing: program /usr/bin/ssh host host2-full-address.com.br, user
(unspecified), command scp -v -t .
OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10, SSH protocols 1.5/2.0, OpenSSL
0x0090703f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: Connecting to host2-full-address.com.br [10.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/itamar/.ssh/identity type 0
debug1: identity file /home/itamar/.ssh/id_rsa type -1
debug1: identity file /home/itamar/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.4p1
debug1: match: OpenSSH_3.4p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'host2-full-address.com.br' is known and matches the RSA host
key.
debug1: Found key in /home/itamar/.ssh/known_hosts:19
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/itamar/.ssh/id_rsa
debug1: Trying private key: /home/itamar/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: password
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
Permission denied, please try again.
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
Permission denied, please try again.
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: No more authentication methods to try.
Permission denied (publickey,password,keyboard-interactive).
debug1: Calling cleanup 0x80623c0(0x0)
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: rcvd eof
debug1: channel 0: output open -> drain
debug1: channel 0: rcvd close
lost connection
debug1: channel 0: obuf empty
debug1: channel 0: close_write
debug1: channel 0: output drain -> closed
debug1: channel 0: almost dead
debug1: channel 0: gc: notify user
debug1: channel 0: gc: user detached
debug1: channel 0: send close
debug1: channel 0: is dead
debug1: channel 0: garbage collecting
debug1: channel_free: channel 0: client-session, nchannels 1
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 9.1 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 1

[itamar@horizon:~] scp -v ozonio:MinhaPagina.txt .
Executing: program /usr/bin/ssh host ozonio, user (unspecified), command
scp -v -f MinhaPagina.txt
OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10, SSH protocols 1.5/2.0, OpenSSL
0x0090703f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: Connecting to ozonio [192.168.166.10] port 22.
debug1: Connection established.
debug1: identity file /home/itamar/.ssh/identity type -1
debug1: identity file /home/itamar/.ssh/id_rsa type -1
debug1: identity file /home/itamar/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10
debug1: match: OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'ozonio' is known and matches the RSA host key.
debug1: Found key in /home/itamar/.ssh/known_hosts:13
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/itamar/.ssh/identity
debug1: Trying private key: /home/itamar/.ssh/id_rsa
debug1: Trying private key: /home/itamar/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: password
itamar@ozonio's password: 
debug1: Authentication succeeded (password).
debug1: fd 4 setting O_NONBLOCK
debug1: fd 5 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending command: scp -v -f MinhaPagina.txt
debug1: channel 0: request exec
debug1: channel 0: open confirm rwindow 0 rmax 32768
Sending file modes: C0644 360 MinhaPagina.txt
MinhaPagina.txt
100%  360   132.2KB/s   00:00    
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: rcvd eof
debug1: channel 0: output open -> drain
debug1: channel 0: obuf empty
debug1: channel 0: close_write
debug1: channel 0: output drain -> closed
debug1: channel 0: rcvd close
debug1: channel 0: close_read
debug1: channel 0: input open -> closed
debug1: channel 0: almost dead
debug1: channel 0: gc: notify user
debug1: channel 0: gc: user detached
debug1: channel 0: send close
debug1: channel 0: is dead
debug1: channel 0: garbage collecting
debug1: channel_free: channel 0: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.1 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 0


[itamar@horizon:~] scp -v MinhaPagina.txt host2-full-address.com.br:.
Executing: program /usr/bin/ssh host host2-full-address.com.br, user
(unspecified), command scp -v -t .
OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10, SSH protocols 1.5/2.0, OpenSSL
0x0090703f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: Connecting to host2-full-address.com.br [10.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/itamar/.ssh/identity type -1
debug1: identity file /home/itamar/.ssh/id_rsa type -1
debug1: identity file /home/itamar/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.4p1
debug1: match: OpenSSH_3.4p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'host2-full-address.com.br' is known and matches the RSA host
key.
debug1: Found key in /home/itamar/.ssh/known_hosts:18
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/itamar/.ssh/identity
debug1: Trying private key: /home/itamar/.ssh/id_rsa
debug1: Trying private key: /home/itamar/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: password
itamar@host2-full-address.com.br's password: 
debug1: Authentication succeeded (password).
debug1: fd 4 setting O_NONBLOCK
debug1: fd 5 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending command: scp -v -t .
debug1: channel 0: request exec
debug1: channel 0: open confirm rwindow 0 rmax 32768
Sending file modes: C0644 360 MinhaPagina.txt
MinhaPagina.txt
100%  360   922.7KB/s   00:00    
debug1: channel 0: read<=0 rfd 4 len 0
debug1: channel 0: read failed
debug1: channel 0: close_read
debug1: channel 0: input open -> drain
debug1: channel 0: ibuf empty
debug1: channel 0: send eof
debug1: channel 0: input drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: rcvd eof
debug1: channel 0: output open -> drain
debug1: channel 0: obuf empty
debug1: channel 0: close_write
debug1: channel 0: output drain -> closed
debug1: channel 0: rcvd close
debug1: channel 0: almost dead
debug1: channel 0: gc: notify user
debug1: channel 0: gc: user detached
debug1: channel 0: send close
debug1: channel 0: is dead
debug1: channel 0: garbage collecting
debug1: channel_free: channel 0: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.8 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0
debug1: Exit status 0



-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux ozonio 2.4.22 #1 Thu Oct 2 16:48:26 GMT+3 2003 i686
Locale: LANG=en_US, LC_CTYPE=en_US (ignored: LC_ALL set to pt_BR)

Versions of packages ssh depends on:
ii  adduser                     3.51         Add and remove users and groups
ii  debconf                     1.3.20       Debian configuration management sy
ii  dpkg                        1.10.18      Package maintenance system for Deb
ii  libc6                       2.3.2.ds1-10 GNU C Library: Shared libraries an
ii  libpam-modules              0.76-14      Pluggable Authentication Modules f
ii  libpam-runtime              0.76-14      Runtime support for the PAM librar
ii  libpam0g                    0.76-14      Pluggable Authentication Modules l
ii  libssl0.9.7                 0.9.7c-5     SSL shared libraries
ii  libwrap0                    7.6-ipv6.1-3 Wietse Venema's TCP wrappers libra
ii  zlib1g                      1:1.1.4-17   compression library - runtime

-- debconf information:
* ssh/privsep_tell: 
  ssh/insecure_rshd: 
  ssh/privsep_ask: true
  ssh/ssh2_keys_merged: 
* ssh/user_environment_tell: 
* ssh/forward_warning: 
  ssh/insecure_telnetd: 
  ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/protocol2_only: false
  ssh/encrypted_host_key_but_no_keygen: 
* ssh/run_sshd: true
* ssh/SUID_client: true

--- End Message ---

--- Begin Message ---

To: 222992-done@bugs.debian.org
Subject: Re: Bug#222992: ssh: scp host1:file host2:. don't ask password for host2
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 7 Jun 2020 10:41:03 +0100
Message-id: <20200607094103.GA6138@riva.ucam.org>
In-reply-to: <20040501133206.GA4480@riva.ucam.org>
References: <20031205150450.5925.qmail@ozonio.matriz.oktiva.com.br> <20040501133206.GA4480@riva.ucam.org>

Source: openssh
Source-Version: 1:5.7p1-1

On Sat, May 01, 2004 at 02:32:06PM +0100, Colin Watson wrote:
> On Fri, Dec 05, 2003 at 12:04:50PM -0300, Itamar Almeida de Carvalho wrote:
> > When I try to copy a file with scp from a remote host to another remote
> > host, it don't ask for password for the second one and fails
> > authenticatioI.  If I copy from the first remote host to the local host 
> > and then from the local to the second remote, it works well.
> 
> Yes, the syntax you used effectively sshs to host1 and then scps from
> there to host2; I believe you need to be using public-key authentication
> via an ssh-agent and agent forwarding to host1 in order for this to
> work. Considering the compatibility limitations of scp
> (http://www.openssh.org/faq.html#2.10), I doubt this will be fixed.

In fact, as of OpenSSH 5.7 (released in 2011), there's an "scp -3"
option which does what you want here.  Sorry for forgetting about this
bug at the time.

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

--- End Message ---

Reply to:

Prev by Date: Bug#962035: defaults are applied every time the include statement is processed
Next by Date: Processed: Bug#962035 marked as pending in openssh
Previous by thread: Bug#962035: marked as done (defaults are applied every time the include statement is processed)
Next by thread: Bug#932071: marked as done (openssh-client: [Regr. 7.9p1-10 -> 8.0p1-3] Always prompts for Yubikey (PKCS#11) PIN, even if already in agent)
Index(es):
- Date
- Thread