I agree, if it can't be secured, it should be dropped completely. On Fri, Jan 25, 2019 at 12:31 AM Christoph Anton Mitterer <calestyo@xxxxxxxxxxxx> wrote: > > On Thu, 2019-01-24 at 12:27 -0600, Ben Lindstrom wrote: > > I know it isn't a "UI replacement" but it at least provides a more > > complete UI for phasing people off of scp. > > I don't think this is an ideal solution... > > OpenSSH should be "overall" secure (that's what it's meant for), and > especially not be a collection of tools/algos/etc. of which some(!) are > safe to user and others not (with the user having to know which). > > This is, why upstream took the wise decision to eventually drop things > like SSHv1 support and remove others (questionable algos) from being > used by default. > > > So with respect to scp (the tool) I see only the following reasonable > ways: > - make it securely usable with the SCP protocol (and IMO this should > mean the general assumption that a remote server might be hostile) > - let it use another protocol with which it can be made secure, at the > same time disabling the "accidental" use of an unsafe SCP protocol, > e.g. by moving all that in another client tool like not-so-scp ;-) or > by having a switch like --use-legacy-not-so-secure-scp-protocol > (names are subject to debate :D) > - tossing scp altogether > > (of course, one could still try to fix the legacy SCP protocol as much > as possible) > > > Since it (scp) is used in probably millions of places in scripts and by > users completely unaware of these issues, there should be really a > hard break if it cannot be secured, cause these people assume it's > secure. > Therefore I think it's not enough to just provide a more convenient > command line interface to sftp (as scp would be still there with > issues) … and yes, I personally would really hate having to write that > more character ;-) > > > If it's possible to just use SFTP behind scp,… great,… maybe that even > allows for more features to come up in the future. > > > Cheers, > Chris. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev