Tweet
LOL Popcorn.
-
-
I think it's largely due to the a few old vulnerabilities found in recent years https://sintonen.fi/advisories/scp-c...rabilities.txtOriginally posted by Azpegath View PostBy the way, what's wrong with SCP? I thought it was "better" than SFTP, and that the latter was somewhat of an afterthought to FTP, to not make it completely obsolete. But that assumption was based on no knowledge or reading at all
RHEL further pointed out: "there is a very low chance of fixing them in existing RHEL releases where we retain backward compatibility."
Comment
-
From the OpenSSH 8.0 release text file (with my own emphasis added):Originally posted by Tillin9 View Post
Security
========
This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. This release adds client-side checking that the filenames sent from the server match the command-line request, The scp protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like sftp and rsync for file transfer instead.Comment
-
I have never used SCP, is it any good? Do you guys use it? Is it useful?
Also don't be confused with SFTP and FTP. SFTP is SSH File Transfer Protocol and has nothing to do with the FTP protocol, while FTPS is FTP over TLS just like HTTPS is HTTP over TLS.Comment
-
No, SCP launches the SCP binary on the remote end, and then communicates between the two SCP instances with its own protocol, similar to rsync. FISH on the other hand uses regular shell commands.Originally posted by dnebdal View PostComment
-
I have no idea of the protocol is worth keeping. The application is useful. I use SCP for non-interactive and SFTP for interactive copying. The proposed changes sounds logical to me.Originally posted by uid313 View PostComment
-
i like the idea of use flags in gentoo so much that i have to say all gentoo users could disable "sctp" use flag to establish the same.Jakub has written a patch for the SCP tool to use SFTP internally and would allow using the scp tool as-is with existing behavior albeit is actually done via SFTP rather than the SCP protocol.Comment
-
I use scp a fair amount. If it gets removed I am fairly happy to fall back to 'cat' across ssh like the good old days. Fedora will feel a bit retro however.
For larger systems, it is generally best to use rsync via ssh to avoid duplicate copying. Where scp wins a little bit however is for other annoying platforms like Windows.Comment
-
Electronic file transfer is overrated. Sneakernet beats all!Comment
-
We use SCP all the time to move files from developer machines to servers and to move files around between servers. It works and does what it's supposed to do without fuss.Originally posted by uid313 View PostComment
Comment