Re: Status of SCP vulnerability

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



I worked on a proposal like this a few years back (including proof of concept code).  I taught sftp to have an scp personality (closer to scp2 than scp), and it was rejected by the higher ups.  It may have been the dual-personality issue, but I know the scp2 concept was also rejected at the time as it was stated there should be one transfer tool.

But the only way to drag scp into this century is pretty much a scp2 style interface.  As mimic all the stupidity of shell escape handling for wildcard matching while using sftp protocol is asking for brokenness in strange ways.  This is why scp2 was created by SSH Corp.

Ben


Colin Watson wrote on 1/23/19 12:00 PM:
On Wed, Jan 23, 2019 at 06:29:29PM +0100, Christoph Anton Mitterer wrote:
So isn't it possibly to fully fix scp?
IMO a complete fix should involve converting scp to use the SFTP
protocol under the hood.  PuTTY's pscp takes this approach.  I started
working on a similar patch to OpenSSH some years ago but never got
around to finishing it.

(Yes, a traditional scp client invokes scp on the server as part of its
protocol; but it passes special -f or -t options when it does so, so
that doesn't preclude having scp speak the SFTP protocol when invoked in
the ordinary way.)


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux