sftp Vs scp

Yegor Ievlev koops1997 at gmail.com
Fri Jan 25 08:31:23 AEDT 2019


I agree, if it can't be secured, it should be dropped completely.

On Fri, Jan 25, 2019 at 12:31 AM Christoph Anton Mitterer
<calestyo at scientia.net> wrote:
>
> On Thu, 2019-01-24 at 12:27 -0600, Ben Lindstrom wrote:
> > I know it isn't a "UI replacement" but it at least provides a more
> > complete UI for phasing people off of scp.
>
> I don't think this is an ideal solution...
>
> OpenSSH should be "overall" secure (that's what it's meant for), and
> especially not be a collection of tools/algos/etc. of which some(!) are
> safe to user and others not (with the user having to know which).
>
> This is, why upstream took the wise decision to eventually drop things
> like SSHv1 support and remove others (questionable algos) from being
> used by default.
>
>
> So with respect to scp (the tool) I see only the following reasonable
> ways:
> - make it securely usable with the SCP protocol (and IMO this should
>   mean the general assumption that a remote server might be hostile)
> - let it use another protocol with which it can be made secure, at the
>   same time disabling the "accidental" use of an unsafe SCP protocol,
>   e.g. by moving all that in another client tool like not-so-scp ;-) or
>   by having a switch like --use-legacy-not-so-secure-scp-protocol
>   (names are subject to debate :D)
> - tossing scp altogether
>
> (of course, one could still try to fix the legacy SCP protocol as much
> as possible)
>
>
> Since it (scp) is used in probably millions of places in scripts and by
> users completely unaware of these issues, there should be really a
> hard break if it cannot be secured, cause these people assume it's
> secure.
> Therefore I think it's not enough to just provide a more convenient
> command line interface to sftp (as scp would be still there with
> issues) … and yes, I personally would really hate having to write that
> more character ;-)
>
>
> If it's possible to just use SFTP behind scp,… great,… maybe that even
> allows for more features to come up in the future.
>
>
> Cheers,
> Chris.
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


More information about the openssh-unix-dev mailing list