Deprecation of scp protocol and improving sftp client

raf ssh at
Tue Aug 4 09:13:17 AEST 2020

On Mon, Aug 03, 2020 at 05:06:35PM +0000, "Blumenthal, Uri - 0553 - MITLL" <uri at> wrote:

> I hear you - but it seems that the choice is between (a) limiting
> "scp" functionality to address the security vulnerability, and (b)
> killing "scp" altogether.
> I'd much prefer (a), even if it means I lose "scp remotehost:foo\* .". 
> Especially, since (almost always) I have equal privileges on both
> local and remote hosts, so in that case I just originate that "scp"
> from that remote. ;-)

If you have equal privileges on both hosts, this isn't
a vulnerability. It's only a vulnerability in cases
where you have scp access to the remote host but you
are not supposed to have general ssh access (i.e. shell

In such cases, this vulnerability can be mitigated by
the use of an ssh-specific command whitelisting control
such as: (auto learn/unlearn policy, exact cmds, no regex) (manual policy, supports regex)

Disclaimer: I made sshdo so I'm biased. But if you
really think you need regex support and don't mind the
extra effort and the risk, authprogs will solve the
problem too. But I'd recommend reading the sshdo FAQ
before choosing.


More information about the openssh-unix-dev mailing list