On Wed, Jan 23, 2019 at 10:48 AM Chris High <highc@xxxxxxxxxx> wrote: > > > Damien, > Reading the various articles about > https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt have > caused me to question the wisdom of using scp. Your observation: > > > Date: Tue, 22 Jan 2019 13:48:34 +1100 (AEDT) > > From: Damien Miller <djm@xxxxxxxxxxx> > > Subject: Re: Status of SCP vulnerability > > > > "Don't use scp with untrusted servers." > > caught my eye. Do you see any 'advantage' to using sftp with an untrusted > server? If so, any thoughts about making an easy way to disable scp both > client and server side when doing an installation? > > Why on the server side? To get folks used to -not- using scp. The semi-chroot nature of sftp helps the server side vulnerabilities, which could in a bad case be used to rootkit or otherwise put in all sorts of nasty things that could leave shared data at risk. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev