On Tue, 3 Nov 2020 at 12:20, Tom Horsley <horsley1953@gmail.com> wrote:

On Mon, 2 Nov 2020 15:44:39 +0100
Jakub Jelen wrote:

> Do you have something against this?

I use the scp command all the time, if the command is still there
I don't care if it does something different under the hood.
I suppose I could always use rsync instead of the command
disappeared.

I doubt most people will notice the difference [until some scp

download installs malware]. 

 

PuTTy (Windows) scp has been using sftp when the remote 

server supports it for a couple of years.   In my field, many users 

(due to enterprise desktop standards) get Windows workstations 

Linux HPC does the heavy lifting, so pscp is often used to download 

artifacts.    

https://www.ssh.com/ssh/putty/putty-manuals/0.68/Chapter5.html

This is due to a fundamental insecurity in the old-style SCP protocol: the client sends the wildcard string (*.c) to the server, and the server sends back a sequence of file names that match the wildcard pattern. However, there is nothing to stop the server sending back a different pattern and writing over one of your other files: if you request *.c, the server might send back the file name AUTOEXEC.BAT and install a virus for you. Since the wildcard matching rules are decided by the server, the client cannot reliably verify that the filenames sent back match the pattern.

PSCP will attempt to use the newer SFTP protocol (part of SSH-2) where possible, which does not suffer from this security flaw. If you are talking to an SSH-2 server which supports SFTP, you will never see this warning. (You can force use of the SFTP protocol, if available, with -sftp - see section 5.2.2.6.)

--

George N. White III