Re: sftp Vs scp

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wed, Jan 23, 2019 at 10:48 AM Chris High <highc@xxxxxxxxxx> wrote:
>
>
> Damien,
>   Reading the various articles about
> https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt have
> caused me to question the wisdom of using scp.  Your observation:
>
> > Date: Tue, 22 Jan 2019 13:48:34 +1100 (AEDT)
> > From: Damien Miller <djm@xxxxxxxxxxx>
> > Subject: Re: Status of SCP vulnerability
> >
> >   "Don't use scp with untrusted servers."
>
> caught my eye.  Do you see any 'advantage' to using sftp with an untrusted
> server?  If so, any thoughts about making an easy way to disable scp both
> client and server side when doing an installation?
>
> Why on the server side?  To get folks used to -not- using scp.

The semi-chroot nature of sftp helps the server side vulnerabilities,
which could in a bad case be used to rootkit or otherwise put in all
sorts of nasty things that could leave shared data at risk.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux