Nov 11, 2020 07:00:00

Why are the 'scp' commands that developers are accustomed to 'obsolete, inflexible and not immediately fixable'?

The '

scp ' command, which allows you to exchange files with remote servers, has been popular in system management and software development for many years, but the latest version of the open source SSH implementation ' OpenSSH ' should be avoided . Linux developer Jonathan Corvette explains why scp, which allows easy file manipulation between servers, has been deprecated.

Deprecating scp [LWN.net]
https://lwn.net/SubscriberLink/835962/ae41b27bc20699ad/

scp is a command that can send and receive files and directories to and from a remote server using the SSH protocol, and has an operation system similar to the ' cp ' command used for local data copying. Although the data seems to be a secure command because it is encrypted, many vulnerabilities to scp have been found in recent years, 'it may not be secure at all in some situations,' Corvette points out.

For example, in the vulnerability ' CVE-2019-6111 ' fixed in OpenSSH 8.0, a malicious server could overwrite a file on the client, contrary to the intention of the scp command executed by the client. In addition, there was a vulnerability ' CVE-2020-15778 ' that could execute commands on the server side as shown below by taking advantage of the fact that scp does not have a copy destination file name verification function.

There is also the idea that 'a server that can scp can be operated by SSH connection, so there is no problem even if the command can be executed', but Mr. Corvette said that it will be a problem for servers that want to allow only scp. The design of scp is so old that it is difficult to add new security features or modify programs, and OpenSSH has described scp as an 'obsolete, inflexible and inflexible' protocol.

The recommended alternatives to the outdated scp are the ' sftp ' and ' rsync ' commands. In particular, the sftp command is included in the OpenSSH package and can be used without any additional packages. However, mastering sftp requires knowledge of FTP's interactive mode, and it is a fact that it cannot be used in the same way as scp. It is said that rsync is also less convenient than scp. The deep imprint of scp's usability on developers also hinders the transition to new commands, Corbett said.

by Alexander Boden

In Linux, important command replacements such as ifconfig to ip and iptables to nftables often occur, but it takes time for new commands to penetrate developers. Attempts have been made to divert existing assets as they are, such as the development of the scp command that runs sftp internally, so it seems unlikely that the scp command will soon become unavailable.