Status of SCP vulnerability

Colin Watson cjwatson at
Thu Jan 24 05:00:09 AEDT 2019

On Wed, Jan 23, 2019 at 06:29:29PM +0100, Christoph Anton Mitterer wrote:
> So isn't it possibly to fully fix scp?

IMO a complete fix should involve converting scp to use the SFTP
protocol under the hood.  PuTTY's pscp takes this approach.  I started
working on a similar patch to OpenSSH some years ago but never got
around to finishing it.

(Yes, a traditional scp client invokes scp on the server as part of its
protocol; but it passes special -f or -t options when it does so, so
that doesn't preclude having scp speak the SFTP protocol when invoked in
the ordinary way.)

Colin Watson                                       [cjwatson at]

More information about the openssh-unix-dev mailing list