OpenSSH/scp ->> F-Secure SSH server Problems

Andrew Bartlett abartlet at pcug.org.au
Mon Mar 12 19:37:05 EST 2001


SFTP runs as a normal user mode application, but is launched from sshd
rather than by the user.  It runs as the user, as there are no extra
privileges required.  The standard input and output are redirected along
the encrypted stream (as all program input/output is) and processed by
the sftp client program.  

Its called sftp partly because the interaction 'looks' like FTP, and is
suitable for wrapping into a GUI application.  This is where the
similarity begins and ends. 

As to your comments about https, I have actually considered exactly this
possibility - but decided that SSH/sftp is much more secure, is more
accountable, and is already deployed.  (For most setups, a https based
setup would involve either a web-server running as root, or setuid root
cgi-scripts.  Neither was an attractive prospect.)

Finally, sftp didn't have the certification requirements - this just
made things just that little be easier.  

SFTP probably should have been billed as:  SSH security, with FTP
functionality.  

Hope this clarifies things,
Andrew Bartlett

Roeland Meyer wrote:
> 
> Then maybe their is a serious disconnect. sftp was billed, to me, as
> SSH+FTP. Was that wrong?
>  Otherwise, what is the difference between scp and sftp? ... a user
> interface that could probably be better done with a https page?
> 
> > -----Original Message-----
> > From: Markus Friedl [mailto:markus.friedl at informatik.uni-erlangen.de]
> > Sent: Sunday, March 11, 2001 3:50 PM
> > To: Roeland Meyer
> > Cc: 'ssh'; 'openssh-unix-dev at mindrot.org'
> > Subject: Re: OpenSSH/scp ->> F-Secure SSH server Problems
> >
> >
> > On Sun, Mar 11, 2001 at 01:37:34PM -0800, Roeland Meyer wrote:
> > > I've been using 1.2.27 (non-com), w/ the 2.0.13 patch, for
> > quite a while
> > > now. It works fine, but I'd really like to have a Win32
> > version of both. I
> > > haven't gone to OpenSSH because of issues like what we're
> > talking about here
> > > (however, I use OpenSSL quite a bit). I also don't understand the
> > > fascination folks have for FTP. Anything that uses non-deterministic
> > > dynamically reassigned ports is fundimentally insecurable. Full
> > > authentication can only be accomplished when both sides of
> > the connection
> > > are fully deterministic. In short, sftp ain't... FTP must
> > die. If you want
> > > secure files distro, use https. If you want secure file
> > uploads, scp does
> > > the job nicely, or a Java uploader, under https. Getting
> > the SSH/FTP(sftp)
> > > kludge to work only weakens SSH.
> >
> > this does not make sense to me.
> >
> > SFTP is not at all related to FTP.
> >
> > SFTP is not 'fundimentally insecurable'
> >
> > SFTP is as secure as SCP.
> >

-- 
Andrew Bartlett
abartlet at pcug.org.au





More information about the openssh-unix-dev mailing list