sftp Vs scp

Nico Kadel-Garcia nkadel at gmail.com
Thu Jan 24 14:33:09 AEDT 2019


On Wed, Jan 23, 2019 at 10:48 AM Chris High <highc at us.ibm.com> wrote:
>
>
> Damien,
>   Reading the various articles about
> https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt have
> caused me to question the wisdom of using scp.  Your observation:
>
> > Date: Tue, 22 Jan 2019 13:48:34 +1100 (AEDT)
> > From: Damien Miller <djm at mindrot.org>
> > Subject: Re: Status of SCP vulnerability
> >
> >   "Don't use scp with untrusted servers."
>
> caught my eye.  Do you see any 'advantage' to using sftp with an untrusted
> server?  If so, any thoughts about making an easy way to disable scp both
> client and server side when doing an installation?
>
> Why on the server side?  To get folks used to -not- using scp.

The semi-chroot nature of sftp helps the server side vulnerabilities,
which could in a bad case be used to rootkit or otherwise put in all
sorts of nasty things that could leave shared data at risk.


More information about the openssh-unix-dev mailing list