1. 58

  2. 11

    This issue came up here a while ago with some follow-up discussion at SCP - Familiar, Simple, Insecure, and Slow.

    1. 7

      I wish the title of the article was not so clickbait-y. What’s being deprecated is the implementation and the protocol used, and not the cli.

      I’d be fine with it as long as the new implementation is entirely backwards compatible, especially with trailing backslashes.

      1. 8

        That isn’t really true though. The proposed patch is a reimplementation of the protocol. However OpenSSH release announcements has asked people to change to another CLI tool for a while now You are probably not solving this in a backwards compatible way as that implies the issues outlined in the post.


        1. 1

          What’s being deprecated is the implementation and the protocol used, and not the cli.

          Except what makes this whole situation a tricky problem is that the protocol and the command-line syntax are (unfortunately) not that easily separable. If they were, the proposed sftp-based reimplementation could be a completely backwards-compatible drop-in replacement, but as the article discusses, it’s not.

        2. 4

          That is good news: sftp is a much better protocol, which by the way has nothing in common with FTP.

          sftp is rather close to 9p with TLV packets that maps read(2), write(2), open(2), stat(2)… calls onto equivalent packets: only a light overhead.

          1. 3

            I can agree with some of that. SFTP is very different from FTP (or FTPS). Scp is a very simple protocol. There are some issues with escaping the filenames. But SFTP is very complex, closer to e.g. NFS than HTTP. It has problems on high latency links. Here are some notes: https://news.ycombinator.com/item?id=25006723

            1. 2

              That got me interested to look at multiple of these protocols, so here are some contexts:

              NFS uses UDP thus harder to encrypt the stream, uses portmap (like FTP’s PASV command), and is a RPC protocol (needs RPC services and implementation).

              https://tools.ietf.org/html/rfc1057 - https://tools.ietf.org/html/rfc1094

              SCP uses parameters passed to SSH for executing the command, then /* Fork a child to execute the command on the remote host using ssh. */ using addargs(&args, "--");, addargs(&args, "%s", host);, addargs(&args, "%s", cmd);, then transfer the content between local program and remote through this SSH stream.


              SFTP uses a single stream, such as TCP/TLS but usually through SSH and its own wire protocol.

              Eventually, development stalled as some committee members began to view SFTP as a file system protocol, not just a file access or file transfer protocol, which places it beyond the purview of the working group.[3] After a seven-year hiatus, in 2013 an attempt was made to restart work on SFTP using the version 3 draft as the baseline.[4] – https://en.wikipedia.org/wiki/Network_File_System


          2. 3

            Good! I wrote about this in the past https://rain-1.github.io/use-sftp-not-scp.html tips for switching to sftp.

            1. 3

              I’m not happy about this. On embedded devices, you usually only have SSH but not SFTP. So then you need to build OpenSSL and enable that service. SCP always works out of the box. It’s silly to claim that SCP is insecure. Duh, you’ve got SSH access. That’s like saying it’s insecure to use the same key to open the trunk of the car and to start the engine.

              1. 4

                What SSHd comes with SCP but not SFTP? I think even Dropbear has SFTP, and OpenSSH comes with a simplistic internal sftp server if the full one is unavailable.

                1. 2

                  https://tinyssh.org/, but it can make use of OpenSSH’s SFTP subsystem with ... tinysshd -x sftp=/usr/libexec/openssh/sftp-server /etc/tinyssh/sshkeydir https://tinyssh.org/faq.html

                  So it does not count.

                  1. 2

                    Dropbear has optional SFTP, but only if you compile OpenSSL yourself and add the library and enable it. Vanilla Dropbear only has SCP.

                  2. 2

                    It’s silly to claim that SCP is insecure. Duh, you’ve got SSH access.

                    As is explained in the article, it’s context-dependent, because it’s not necessarily the case that “duh, you’ve got ssh access” – in scenarios where a user has been granted scp-only access with the intent of limiting them to simple file-transfer operations, the fact that scp allows arbitrary command injection is actually a pretty gaping vulnerability.

                    1. 2

                      I read the article too. People who give SCP-only access to untrusted third parties and expect it to be secure are making a mistake. That is simply not how SCP is supposed to be used. You have to assume that your SCP users have all the rights of the account whose SSH key SCP logs in with. This is the granularity with which access rights are enforced in the SCP model.

                      1. 1

                        …and yet it happens, and will in all likelihood continue to happen. We can blame users for not understanding all the ramifications of arcane implementation details, but it’s a very easy misunderstanding to fall into – man scp just says “secure file copy” after all, not “secure file copy and command execution”. Humans being what they are, making things hard(er) to misuse is an important side of designing for security.