Status of SCP vulnerability

Christoph Anton Mitterer calestyo at scientia.net
Thu Jan 24 07:58:51 AEDT 2019


On Wed, 2019-01-23 at 18:00 +0000, Colin Watson wrote:
> IMO a complete fix should involve converting scp to use the SFTP
> protocol under the hood.

I've had thought about the same but didn't dare to propose it ;-)


The problem IMO is:
Either such scp would silently fall back to the "old" scp protocol, if
it talks to an "old" server... (in which case the whole thing doesn't
make any sense).

Or compatibility would be broken.

I (personally) wouldn't mind that,... there are too many nice features
one would like to see in scp for long and which are allegedly not
possible because of the protocol... being safe, asking for
confirmation on overwriting, XATTRs, ACLs,...


But whatever it is: most people I know don't like the sftp
interface,... and it shouldn't be assumed that remote servers are
trustworthy (even if they actually are).


Cheers,
Chris.



More information about the openssh-unix-dev mailing list