Feature request: Discussion.

Rob McCauley robmccau at RadOnc.Duke.EDU
Tue May 14 02:17:03 EST 2002

I'd say that the best reason not to add it is lack of a compelling reason
*to* add it.  ssh is not http.  I don't see any good reason to make scp or
ssh try to look like http, and I have to agree with Markus Friedl's
assessment that url syntax lacks something in the aesthetics
department.  I'd never use it.

I don't like the idea of supporting a password in the command line at
all.  I can ignore the url syntax, but the thoughts of enabling my users
to create rsh like aliases with plaintext passwords embedded in them would
be unacceptable.  You have to know that given the choice, most would opt
to do that rather than configure public key authentication.

I just received a reply to this same message saying FTP supports passwords
on the command line, so we may as well support it.  I disagree.  FTP
supports lots of evil things.  Let's support the core functionality
securely.  Passwords in the command line is just an invitation for Bad
Things to happen.  There's some enhanced risk, and I see no benefit.


Rob McCauley
Radiation Oncology
Duke University Medical Center

On Mon, 13 May 2002 ewheeler at kaico.com wrote:

> I agree that we shouldn't add the 'ssh://' since we're trying to keep r*
> compatibility, but is there a reason that a 
> '--url ssh://someones:password@somehoston#thisport/some/file' could/should
> not be added?  I suppose --url could simply override the source for the
> scp.  Ideas?

More information about the openssh-unix-dev mailing list