On 8/5/20 1:23 AM, Ethan Rahn wrote:
It seems that there are a few camps here: * The scp power users - this camp believes that scp supporting backtick notation is fine and that running arbitrary commands is a perfectly fine thing to do. * The restricted shell users - this camp believes that scp supporting backtick may not be the best, and there are various restricted shells which can prevent this. Power users may belong to this camp. * The novice users - this camp is surprised to find that scp can be used to run commands. Once they understand that the server runs "scp -t" it makes a little more sense.
Sorry to come into this late but there is a very large camp that simply doesn't care. They use scp because they have to in order to transfer files due to requirements placed on them by admins. They aren't concerned about security nearly as much as they just want to get their files from A to B so they can do their work. For these people scp is the default because that's what all the instructions and examples are based on. It's a big part of the reason why I developed hpn-ssh. We couldn't get the users to change their behaviour and they kept complaining about slow transfers.
In short - for a whole lot of users scp is just a component of their workflow. They don't really think about it unless it's causing problems.
So I'm all for getting rid of scp as long as you can get sftp to work in exactly the same way. Then you just get replace scp with a symlink to sftp. Which is far easier said than done.
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
