Is sshd supposed to interpret "{a,b}" brace expansions?

Jakub Jelen jjelen at
Thu Jan 31 00:46:34 AEDT 2019

from what I understand, the brace expansion is not expanded in the
remote scp nor sshd, but in the remote shell (the remote command is run
inside of bash -c "command"). The debug line looks like this:

  Executing: program /usr/bin/ssh host rhel7.virt, user (unspecified),
command scp -v -f /etc/{passwd,group}

But what is actually executed is

  bash -c "scp -v -f /etc/{passwd,group}"

expanding to in the remote shell (in the above example bash) to

  scp -v -f /etc/passwd /etc/group

Therefore for this patch to work the same way will need also the
GLOB_BRACE flag to the glob().


On Wed, 2019-01-30 at 12:34 +0100, Peter Simons wrote:
> Hi,
> the proposed fix for CVE-2019-6111 [1] adds file name validation to
> scp
> to prevent the server from sending files that the client actually did
> not request. Now, a consequence of that patch is that commands which
> contain server-side brace expansions such as
>     $ scp remote:'/etc/{passwd,group}' .
>     error: unexpected filename: passwd
> no longer work. Shell globs such as [abc], ?, *, and combinations
> thereof still work fine, but {a,b} does not.
> Is that a shortcoming of the patch? Or is it intended behavior?
> I looked through various man pages, but I could not find any definite
> statement about whether server-side brace expansion are supposed to
> work
> on or not. Could someone please enlighten me?
> Best regards,
> Peter
> [1]
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.

More information about the openssh-unix-dev mailing list