Re: Deprecation of scp protocol and improving sftp client

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



I conjecture that only few of the existing use cases rely on remote expansion. 

In any case (no pun intended), IMHO it would be better to break a few of the current use cases but leave the majority functional - than kill scp for all. 

Regards,
Uri

> On Aug 3, 2020, at 02:50, Jakub Jelen <jjelen@xxxxxxxxxx> wrote:
> 
> On Sat, 2020-08-01 at 00:17 +0000, Blumenthal, Uri - 0553 - MITLL
> wrote:
>> Why can the local and remote paths be sanitized?
> 
> Because remote path is *expected* to be expanded by remote shell before
> executing remote scp. If you sanitize it in any way, you will break
> existing use cases.
> 
>> Regards,
>> Uri
>> 
>>>> On Jul 31, 2020, at 19:57, Ethan Rahn <ethan.rahn@xxxxxxxxx> wrote:
>>> 
>>> I wanted to bring this up again due to:
>>> https://github.com/cpandya2909/CVE-2020-15778/. This showcases a
>>> clear
>>> issue with scp which it sounds like cannot be fixed without
>>> breaking scp.
>>> This seems like it would lend some impetus to doing _something_,
>>> even if it
>>> breaks scp or necessitates using something new.
>>> 
>>> Cheers,
>>> 
>>> Ethan
>>> 
>>>> On Wed, Jul 15, 2020 at 7:47 AM Thorsten Glaser <
>>>> t.glaser@xxxxxxxxx> wrote:
>>>> 
>>>>> On Wed, 15 Jul 2020, Red Cricket wrote:
>>>>> 
>>>>> I have had this in my .bashrc for years:
>>>>> 
>>>>> alias scp='rsync -avzP'
>>>> 
>>>> Similar, though I named it rcp because nobody has the real rcp
>>>> installed
>>>> any more, but sometimes I need scp to connect to systems that
>>>> lack rsync.
>>>> 
>>>> 
>>>> https://evolvis.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=shellsnippets/shellsnippets.git;a=blob;f=mksh/rcp;hb=HEAD
>>>> 
>>>>> maybe rsync is a better replacement for scp than sftp would be?
>>>> 
>>>> It could be, were it not under a restrictive licence…
>>>> 
>>>> 
>>>> This doesn’t preclude people from making SSH’s builtin transfers
>>>> better, though.
>>>> 
>>>> bye,
>>>> //mirabilos
>>>> --
>>>> «MyISAM tables -will- get corrupted eventually. This is a fact of
>>>> life. »
>>>> “mysql is about as much database as ms access” – “MSSQL at least
>>>> descends
>>>> from a database” “it's a rebranded SyBase” “MySQL however was
>>>> born from a
>>>> flatfile and went downhill from there” – “at least jetDB doesn’t
>>>> claim to
>>>> be a database”  (#nosec)    ‣‣‣ Please let MySQL and MariaDB
>>>> finally die!
>>>> _______________________________________________
>>>> openssh-unix-dev mailing list
>>>> openssh-unix-dev@xxxxxxxxxxx
>>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>>> 
>>> _______________________________________________
>>> openssh-unix-dev mailing list
>>> openssh-unix-dev@xxxxxxxxxxx
>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> -- 
> Jakub Jelen
> Senior Software Engineer
> Security Technologies
> Red Hat, Inc.
> 

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux