Status of SCP vulnerability

Stuart Henderson stu at
Thu Jan 24 07:43:42 AEDT 2019

On 2019/01/23 14:13, Michael Stone wrote:
> On Wed, Jan 23, 2019 at 12:35:13PM -0600, Ben Lindstrom wrote:
> > But the only way to drag scp into this century is pretty much a scp2
> > style interface.
> This. The openssh devs have been complaining for almost 20 years that people
> should just use sftp, ignoring the fact that command line users hate the
> interface. If the first 17 years of telling people that the new interface is
> better didn't do it, it's unlikely that they'll be convinced this year.

remote->local copies in many common cases work just fine with s/scp/sftp.

local->remote not so much - allowing "sftp localfile host:/path/" would go
a long way towards making it easier for command line users to switch.

More information about the openssh-unix-dev mailing list