Fix scp regressions for 6.x

[a-palchikov]

Use correct target directory path in error message.
Handle target directory/file renames properly.

I've only tested these changes manually and I was working on automatic test coverage for the rest of the use-cases but I'm not sure I can make it in time for rc.2.

Fixes #5695.

[russjones]

@andrejtokarcik Can you review this?

[russjones]

@a-palchikov If we can't make it to rc.2, let's aim for rc.3?

[a-palchikov]

Ok - I'll work on the tests to be on the safe side.

[andrejtokarcik]

I'm mentioning this here just so we're aware of the current behaviour not that it's necessary to change it, feel free to close this note with no action:

This could cause unexpected data duplication, especially in automated scripts which may simply rely on the fact that tsh scp always overwrites its target. For example:

$ stat /tmp/zz
stat: cannot stat '/tmp/zz': No such file or directory
$ tsh scp -r ./large-tree/ /tmp/zz/
[...]
$ diff ./large-tree/ /tmp/zz/ && echo same tree
same tree
$ tsh scp -r ./large-tree/ /tmp/zz/   # re-run the same tsh scp command
[...]
$ diff ./large-tree/ /tmp/zz/
Only in /tmp/zz/: large-tree

The files of large-tree would end up in two copies under /tmp/zz: once directly under /tmp/zz, once under /tmp/zz/large-tree.

[a-palchikov]

Yes, this is consistent with OpenSSH client's behavior - initial attempt to copy a directory into a new non-existing location causes a rename, but existing location appends to it.

[andrejtokarcik]

I can't test it right now but IIRC, OpenSSH scp changes its dir-copying behaviour based on the trailing slash which I think tsh scp would not.

[a-palchikov]

That could be possible - I'll test that as well.

[a-palchikov]

client (ubuntu):

$ ssh -V
OpenSSH_8.4p1, OpenSSL 1.1.1f  31 Mar 2020

server (centos):

$ ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

Trailing slash does not change the behavior as described in the linked issue.

[russjones]

@a-palchikov I this code is always run on the client? Server process is sshd?

[a-palchikov]

Yes, the server is sshd. It does not have a version flag but outputs the version anyways:

$ sshd -V
unknown option -- V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

[andrejtokarcik]

BTW I had to apply the following to make tsh scp work with zsh:

diff --git a/lib/srv/exec.go b/lib/srv/exec.go
index e8cf6232d..a822b0293 100644
--- a/lib/srv/exec.go
+++ b/lib/srv/exec.go
@@ -247,7 +247,7 @@ func (e *localExec) transformSecureCopy() error {
        if err != nil {
                return trace.Wrap(err)
        }
-       e.Command = fmt.Sprintf("%s scp --remote-addr=%s --local-addr=%s %v",
+       e.Command = fmt.Sprintf("%s scp --remote-addr=%q --local-addr=%q %v",
                teleportBin,
                e.Ctx.ServerConn.RemoteAddr().String(),
                e.Ctx.ServerConn.LocalAddr().String(),

The encountered error was:

zsh:1: no matches found: --remote-addr=[::1]:59236

[a-palchikov]

I factored this into a dedicated test - no need to test this for each local testcase.

[a-palchikov]

This differed from OpenSSH's behavior which does not automatically create intermediate directories. If that's a concern, we can revert this change.

[xacrimon]

Adhering to OpenSSH behaviour seems more logical to me. When people type scp they expect it to behave just like scp does when it comes to things like this.

[webvictim]

I agree, we should be as consistent as possible with OpenSSH.

[russjones]

@alex-kovoy Any reason you made this MkdirAll? #2055

[alex-kovoy]

@russjones That was original implementation, it appeared in my PR because I move some code around while working on HTTP transfers. See the original (deleted) scp.go file in that PR.

[russjones]

Hrm, interesting the original commit seems to indicate MkdirAll lines up with OpenSSH behavior: 80df1bb

[a-palchikov]

The original commit that introduced this changes is 2ad2fb4 and it seems to be fixing this problem from #274.
Since the solution caused another issue, it was changed in c6c77a1 but os.MkdirAll remained.

[a-palchikov]

As for the behavior of OpenSSH (7.4p1 from above) and the following source layout:

$ tree foo
foo
├── foo1
└── foo-dir
    └── foo-file

Copying to a non-existing directory (zz, 1 level), renames the source into it (or creates it remotely and copies the contents of the source directory):

$ scp -r ./foo [email protected]:zz
foo1                                                                                     100%    0     0.0KB/s   00:00    
foo-file                                                                                 100%    0     0.0KB/s   00:00

with the resulting remote layout:

# tree zz
zz
├── foo1
└── foo-dir
    └── foo-file

while opening into a directory with an intermediate non-existing directory:

$ scp -r ./foo [email protected]:non-existing/zz
scp: non-existing/zz: No such file or directory

but it works with tsh in 5.2.1.

[russjones]

@xacrimon @andrejtokarcik Can you to re-review?

[xacrimon]

Adhering to OpenSSH behaviour seems more logical to me. When people type scp they expect it to behave just like scp does when it comes to things like this.

[russjones]

Bot.

[russjones]

@a-palchikov Just to clarify, we now match OpenSSH behavior right? I agree, I think that's what users expectation here is.

[a-palchikov]

@a-palchikov Just to clarify, we now match OpenSSH behavior right? I agree, I think that's what users expectation here is.

Yes, w.r.t to copying a directory to a remote path with intermediates that do not exist.