💾 Archived View for dioskouroi.xyz › thread › 25002397 captured on 2020-11-07 at 00:53:45. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
________________________________________________________________________________
For all of these reasons, it would be nice to have a version of scp that doesn't suffer from the current command's problems. As it turns out, Jakub Jelen is working on such a thing; it is an scp command that uses the sftp protocol under the hood.
I believe this is the right path to go. If the compatibility or feature parity (e.g. backticks) is a concern, make that feature require options or envvars.
Jonathan Corbet should clarify what he means when he says "the openssh community" considers scp deprecated because it sounds like he's only speaking for himself. It's kind of clickbaity. Although his technical research is stronger than the CVEs he's citing. CVE-2020-15778 is a particularly noisy one since the author likely hadn't considered rssh shell and should have clarified exactly which configuration options he felt were compromised.
dupe:
https://news.ycombinator.com/item?id=25005567
This is concerning. The security problems with the scp protocol are new to me. They definitely seem to justify a deprecation, especially for use cases like "jailed" scp-only user accounts.