On Mon, Aug 03, 2020 at 08:34:04PM +0200, Christoph Anton Mitterer <calestyo@xxxxxxxxxxxx> wrote: > On Mon, 2020-08-03 at 19:17 +0200, Thorsten Glaser wrote: > > That would be the same as killing scp… > > Better that... than having an inherently insecure scp... or at least > make it absolutely clear and rename it to i[nsecure]scp. But it's not inherently insecure. For most cases, or at least for the default case, where the users of scp are also allowed to use ssh, this is not a vulnerability. It only becomes insecure when general ssh access is not allowed but scp access is. > If the core functionality of a program (which is here probably the > "secure") is no longer given, then it's IMO better to rather cause > breakage (at least for old clients), than to keep going. The core functionality is the encrypted transfer of files. That is still there. > Cheers, > Chris. cheers, raf _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
