OpenSSH/scp ->> F-Secure SSH server Problems

Damien Miller djm at mindrot.org
Mon Mar 12 15:06:18 EST 2001


On Sun, 11 Mar 2001, Greg A. Woods wrote:

> I know that the "rcp" protocol is rather old and rather poorly
> documented (outside the source and the various books that have
> covered it in more detail, such as those of the late Mr. Stevens).
> I don't quite understand what limitations it might have had
> w.r.t. SSH though.

rcp/scp also have security problems that are difficult to fix. e.g.

http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Ffromthread%3D1%26list%3D1%26end%3D2001-03-17%26mid%3D136480%26threads%3D0%26start%3D2001-03-11%26

> It would appear that the sftp stuff is finally documented in the new
> IETF secsh draft-ietf-secsh-filexfer-00.txt, published in on or about
> Jan 9.
>
> My guess is this is just an excuse to use the "built-in subsystem"
> feature bloat in the secsh protocol.

Subsystems aren't "feature bloat", they are very lightweight (almost
free) and are a much more robust way of executing standard services
over an ssh transport than executing programs which may or may not be
in the server's $PATH.

There is nothing stopping anyone from implementing a scp-like tool
which uses the sftp protocol. All the back-end is there in OpenSSH
(except directory recursion), someone just needs to do the UI.

-d

-- 
| Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org          /   distributed filesystem'' - Dan Geer






More information about the openssh-unix-dev mailing list