On Thu, 2019-01-24 at 12:27 -0600, Ben Lindstrom wrote:> I know it isn't a "UI replacement" but it at least provides a more > complete UI for phasing people off of scp.I don't think this is an ideal solution... OpenSSH should be "overall" secure (that's what it's meant for), and especially not be a collection of tools/algos/etc. of which some(!) are safe to user and others not (with the user having to know which). This is, why upstream took the wise decision to eventually drop things like SSHv1 support and remove others (questionable algos) from being used by default. So with respect to scp (the tool) I see only the following reasonable ways: - make it securely usable with the SCP protocol (and IMO this should mean the general assumption that a remote server might be hostile) - let it use another protocol with which it can be made secure, at the same time disabling the "accidental" use of an unsafe SCP protocol, e.g. by moving all that in another client tool like not-so-scp ;-) or by having a switch like --use-legacy-not-so-secure-scp-protocol (names are subject to debate :D) - tossing scp altogether (of course, one could still try to fix the legacy SCP protocol as much as possible) Since it (scp) is used in probably millions of places in scripts and by users completely unaware of these issues, there should be really a hard break if it cannot be secured, cause these people assume it's secure. Therefore I think it's not enough to just provide a more convenient command line interface to sftp (as scp would be still there with issues) ? and yes, I personally would really hate having to write that more character ;-) If it's possible to just use SFTP behind scp,? great,? maybe that even allows for more features to come up in the future. Cheers, Chris.
I agree, if it can't be secured, it should be dropped completely. On Fri, Jan 25, 2019 at 12:31 AM Christoph Anton Mitterer <calestyo at scientia.net> wrote:> > On Thu, 2019-01-24 at 12:27 -0600, Ben Lindstrom wrote: > > I know it isn't a "UI replacement" but it at least provides a more > > complete UI for phasing people off of scp. > > I don't think this is an ideal solution... > > OpenSSH should be "overall" secure (that's what it's meant for), and > especially not be a collection of tools/algos/etc. of which some(!) are > safe to user and others not (with the user having to know which). > > This is, why upstream took the wise decision to eventually drop things > like SSHv1 support and remove others (questionable algos) from being > used by default. > > > So with respect to scp (the tool) I see only the following reasonable > ways: > - make it securely usable with the SCP protocol (and IMO this should > mean the general assumption that a remote server might be hostile) > - let it use another protocol with which it can be made secure, at the > same time disabling the "accidental" use of an unsafe SCP protocol, > e.g. by moving all that in another client tool like not-so-scp ;-) or > by having a switch like --use-legacy-not-so-secure-scp-protocol > (names are subject to debate :D) > - tossing scp altogether > > (of course, one could still try to fix the legacy SCP protocol as much > as possible) > > > Since it (scp) is used in probably millions of places in scripts and by > users completely unaware of these issues, there should be really a > hard break if it cannot be secured, cause these people assume it's > secure. > Therefore I think it's not enough to just provide a more convenient > command line interface to sftp (as scp would be still there with > issues) ? and yes, I personally would really hate having to write that > more character ;-) > > > If it's possible to just use SFTP behind scp,? great,? maybe that even > allows for more features to come up in the future. > > > Cheers, > Chris. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Christoph Anton Mitterer wrote on 1/24/19 3:23 PM:> On Thu, 2019-01-24 at 12:27 -0600, Ben Lindstrom wrote: >> I know it isn't a "UI replacement" but it at least provides a more >> complete UI for phasing people off of scp. > I don't think this is an ideal solution... > > OpenSSH should be "overall" secure (that's what it's meant for), and > especially not be a collection of tools/algos/etc. of which some(!) are > safe to user and others not (with the user having to know which).Not sure what your arguing against as your comments below this pretty much re-enforce what I'm stating. Which is: Scp should die, and we should add "sftp -U [file/path] host" feature as our recommended replacement. As no amount of work will fix scp completely.? And every other solution makes it worse and more complex. Ben
On Thu, 24 Jan 2019, Ben Lindstrom wrote:> Christoph Anton Mitterer wrote on 1/24/19 3:23 PM: >> On Thu, 2019-01-24 at 12:27 -0600, Ben Lindstrom wrote: >>> I know it isn't a "UI replacement" but it at least provides a more >>> complete UI for phasing people off of scp. >> I don't think this is an ideal solution... >> >> OpenSSH should be "overall" secure (that's what it's meant for), and >> especially not be a collection of tools/algos/etc. of which some(!) are >> safe to user and others not (with the user having to know which). > > Not sure what your arguing against as your comments below this pretty > much re-enforce what I'm stating. Which is: > > Scp should die, and we should add "sftp -U [file/path] host" feature as > our recommended replacement.breaking all the tools that use scp is a very bad idea, if sftp -U can be functionally the same as scp (from the users point of view) then scp can be made to continue to work, doing a sftp -U under the covers otherwise you will end up with people adding back in a broken scp to make their tools work. David Lang
On Thu, 2019-01-24 at 15:38 -0600, Ben Lindstrom wrote:> Scp should die, and we should add "sftp -U [file/path] host" feature > as > our recommended replacement.It wasn't clear to me from your mail, that if scp cannot be made secure (by whichever means) it would really have to go, so that it's not accidentally used. At the same time, I think one cannot afford to let scp go and just replace it by new sftp command line UI. So my main points were: - make it some how safe (and only if this cannot be done at all, make a hard break) - if it's necessary to keep something speaking "legacy" SCP protocol, make 100% sure it's not accidentally used Cheers :-)
On 2019/01/24 15:38, Ben Lindstrom wrote:> > > Christoph Anton Mitterer wrote on 1/24/19 3:23 PM: > > On Thu, 2019-01-24 at 12:27 -0600, Ben Lindstrom wrote: > > > I know it isn't a "UI replacement" but it at least provides a more > > > complete UI for phasing people off of scp. > > I don't think this is an ideal solution... > > > > OpenSSH should be "overall" secure (that's what it's meant for), and > > especially not be a collection of tools/algos/etc. of which some(!) are > > safe to user and others not (with the user having to know which). > > Not sure what your arguing against as your comments below this pretty much > re-enforce what I'm stating. Which is: > > Scp should die, and we should add "sftp -U [file/path] host" feature as our > recommended replacement. > > As no amount of work will fix scp completely.? And every other solution > makes it worse and more complex.If you do that, users will just leave the old scp binary lying around so that muscle memory and scripts still work. It wouldn't be a big surprise if some distributions re-added it in a patchset, even.