sftp Vs scp
Nico Kadel-Garcia
nkadel at gmail.com
Thu Jan 24 14:33:09 AEDT 2019
On Wed, Jan 23, 2019 at 10:48 AM Chris High <highc at us.ibm.com> wrote:
>
>
> Damien,
> Reading the various articles about
> https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt have
> caused me to question the wisdom of using scp. Your observation:
>
> > Date: Tue, 22 Jan 2019 13:48:34 +1100 (AEDT)
> > From: Damien Miller <djm at mindrot.org>
> > Subject: Re: Status of SCP vulnerability
> >
> > "Don't use scp with untrusted servers."
>
> caught my eye. Do you see any 'advantage' to using sftp with an untrusted
> server? If so, any thoughts about making an easy way to disable scp both
> client and server side when doing an installation?
>
> Why on the server side? To get folks used to -not- using scp.
The semi-chroot nature of sftp helps the server side vulnerabilities,
which could in a bad case be used to rootkit or otherwise put in all
sorts of nasty things that could leave shared data at risk.
More information about the openssh-unix-dev
mailing list