Status of SCP vulnerability

[Nico Kadel-Garcia]

On Wed, Jan 23, 2019 at 2:18 PM Michael Stone <mstone at cs.loyola.edu> wrote:
>
> On Wed, Jan 23, 2019 at 12:35:13PM -0600, Ben Lindstrom wrote:
> >But the only way to drag scp into this century is pretty much a scp2
> >style interface.
>
> This. The openssh devs have been complaining for almost 20 years that
> people should just use sftp, ignoring the fact that command line users
> hate the interface. If the first 17 years of telling people that the
> new interface is better didn't do it, it's unlikely that they'll be
> convinced this year. (Wow, it doesn't seem like that long until you
> write it out.)
>
> Another alternative is to just use rsync in place of scp, but that does
> still require retraining muscle memory and requires installation of
> additional software.

Or distinct software. As much extra work as it took, I got fond of
using the old "rssh" toolkit, which worked well though it relied on
the maintainer building a chroot cage to run it in effectively. It's
been unmaintained for years, which made me nervous, but included hooks
for putting rsync and other tools in a chroot cage. I know some of our
fearless leaders loathe chroot cages, but if you *have* to run a
service like rsync or scp, it's better than nothing. My chroot
building tools are at https://github.com/nkadel/rssh-chroot-tools, and
rssh is over at http://www.pizzashack.org/rssh/faq.shtml . Neither has
been maintained in years. If someone with more time and expertise
wants to do a security of rssh as software rather than its philosophy,
I'd really appreciate it.