Status of SCP vulnerability
Ben Lindstrom
mouring at offwriting.org
Thu Jan 24 05:35:13 AEDT 2019
I worked on a proposal like this a few years back (including proof of
concept code). I taught sftp to have an scp personality (closer to scp2
than scp), and it was rejected by the higher ups. It may have been the
dual-personality issue, but I know the scp2 concept was also rejected at
the time as it was stated there should be one transfer tool.
But the only way to drag scp into this century is pretty much a scp2
style interface. As mimic all the stupidity of shell escape handling
for wildcard matching while using sftp protocol is asking for brokenness
in strange ways. This is why scp2 was created by SSH Corp.
Ben
Colin Watson wrote on 1/23/19 12:00 PM:
> On Wed, Jan 23, 2019 at 06:29:29PM +0100, Christoph Anton Mitterer wrote:
>> So isn't it possibly to fully fix scp?
> IMO a complete fix should involve converting scp to use the SFTP
> protocol under the hood. PuTTY's pscp takes this approach. I started
> working on a similar patch to OpenSSH some years ago but never got
> around to finishing it.
>
> (Yes, a traditional scp client invokes scp on the server as part of its
> protocol; but it passes special -f or -t options when it does so, so
> that doesn't preclude having scp speak the SFTP protocol when invoked in
> the ordinary way.)
>
More information about the openssh-unix-dev
mailing list