Thorsten Glaser
2020-Jul-15 14:46 UTC
Deprecation of scp protocol and improving sftp client
On Wed, 15 Jul 2020, Red Cricket wrote:> I have had this in my .bashrc for years: > > alias scp='rsync -avzP'Similar, though I named it rcp because nobody has the real rcp installed any more, but sometimes I need scp to connect to systems that lack rsync. https://evolvis.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=shellsnippets/shellsnippets.git;a=blob;f=mksh/rcp;hb=HEAD> maybe rsync is a better replacement for scp than sftp would be?It could be, were it not under a restrictive licence? This doesn?t preclude people from making SSH?s builtin transfers better, though. bye, //mirabilos -- ?MyISAM tables -will- get corrupted eventually. This is a fact of life. ? ?mysql is about as much database as ms access? ? ?MSSQL at least descends from a database? ?it's a rebranded SyBase? ?MySQL however was born from a flatfile and went downhill from there? ? ?at least jetDB doesn?t claim to be a database? (#nosec) ??? Please let MySQL and MariaDB finally die!
I wanted to bring this up again due to: https://github.com/cpandya2909/CVE-2020-15778/. This showcases a clear issue with scp which it sounds like cannot be fixed without breaking scp. This seems like it would lend some impetus to doing _something_, even if it breaks scp or necessitates using something new. Cheers, Ethan On Wed, Jul 15, 2020 at 7:47 AM Thorsten Glaser <t.glaser at tarent.de> wrote:> On Wed, 15 Jul 2020, Red Cricket wrote: > > > I have had this in my .bashrc for years: > > > > alias scp='rsync -avzP' > > Similar, though I named it rcp because nobody has the real rcp installed > any more, but sometimes I need scp to connect to systems that lack rsync. > > > https://evolvis.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=shellsnippets/shellsnippets.git;a=blob;f=mksh/rcp;hb=HEAD > > > maybe rsync is a better replacement for scp than sftp would be? > > It could be, were it not under a restrictive licence? > > > This doesn?t preclude people from making SSH?s builtin transfers > better, though. > > bye, > //mirabilos > -- > ?MyISAM tables -will- get corrupted eventually. This is a fact of life. ? > ?mysql is about as much database as ms access? ? ?MSSQL at least descends > from a database? ?it's a rebranded SyBase? ?MySQL however was born from a > flatfile and went downhill from there? ? ?at least jetDB doesn?t claim to > be a database? (#nosec) ??? Please let MySQL and MariaDB finally die! > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Blumenthal, Uri - 0553 - MITLL
2020-Aug-01 00:17 UTC
Deprecation of scp protocol and improving sftp client
Why can the local and remote paths be sanitized? Regards, Uri> On Jul 31, 2020, at 19:57, Ethan Rahn <ethan.rahn at gmail.com> wrote: > > ?I wanted to bring this up again due to: > https://github.com/cpandya2909/CVE-2020-15778/. This showcases a clear > issue with scp which it sounds like cannot be fixed without breaking scp. > This seems like it would lend some impetus to doing _something_, even if it > breaks scp or necessitates using something new. > > Cheers, > > Ethan > >> On Wed, Jul 15, 2020 at 7:47 AM Thorsten Glaser <t.glaser at tarent.de> wrote: >> >>> On Wed, 15 Jul 2020, Red Cricket wrote: >>> >>> I have had this in my .bashrc for years: >>> >>> alias scp='rsync -avzP' >> >> Similar, though I named it rcp because nobody has the real rcp installed >> any more, but sometimes I need scp to connect to systems that lack rsync. >> >> >> https://evolvis.org/plugins/scmgit/cgi-bin/gitweb.cgi?p=shellsnippets/shellsnippets.git;a=blob;f=mksh/rcp;hb=HEAD >> >>> maybe rsync is a better replacement for scp than sftp would be? >> >> It could be, were it not under a restrictive licence? >> >> >> This doesn?t preclude people from making SSH?s builtin transfers >> better, though. >> >> bye, >> //mirabilos >> -- >> ?MyISAM tables -will- get corrupted eventually. This is a fact of life. ? >> ?mysql is about as much database as ms access? ? ?MSSQL at least descends >> from a database? ?it's a rebranded SyBase? ?MySQL however was born from a >> flatfile and went downhill from there? ? ?at least jetDB doesn?t claim to >> be a database? (#nosec) ??? Please let MySQL and MariaDB finally die! >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev at mindrot.org >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5874 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200801/909fe3e7/attachment.p7s>
On Fri, Jul 31, 2020 at 04:29:13PM -0700, Ethan Rahn <ethan.rahn at gmail.com> wrote:> I wanted to bring this up again due to: > https://github.com/cpandya2909/CVE-2020-15778/. This showcases a clear > issue with scp which it sounds like cannot be fixed without breaking scp. > This seems like it would lend some impetus to doing _something_, even if it > breaks scp or necessitates using something new. > > Cheers, > EthanSurely, executing the scp -t command without using the shell would fix this without breaking any legitimate usage. And it would be much easier and more effective than sanitising the path. Paths can contain almost any byte. Mind you, it wouldn't stop the legitimate user from just logging in and performing the same actions manually. But it would help in cases where users can scp but not ssh to a host. cheers, raf