Re: A future for the SSH File Transfer Protocol?

To: ietf-ssh%netbsd.org@localhost
Subject: Re: A future for the SSH File Transfer Protocol?
From: Simon Tatham <anakin%pobox.com@localhost>
Date: Sun, 11 Nov 2001 10:59:54 +0000

Thor Simon  <tls%cs.stevens-tech.edu@localhost> wrote:
> 2) SFTP is standards-track; currently, SCP is very much not so.
> 
> 3) SFTP is actually documented.  SCP -- because it's just basically rcp
>    on top of SSH -- is not; there isn't an rcp RFC, not even an 
>    informational.

Also

 (4) There is a _standardised_ means of invoking SFTP on a server,
     which doesn't depend on the client knowing or guessing details
     of the server setup such as its OS or its PATH or the location
     of its scp binary, or indeed its command line quoting rules
     (try SCPing a file with weird characters in the name!).

 (5) SFTP doesn't require the client to trust the server's wildcard
     expansion. (Suppose you send a request for "*.c". You would
     like the server not to be able to send back filenames that
     don't actually match this pattern, so it can't maliciously
     overwrite ".bashrc" in the same directory. Sadly in SCP the
     wildcard matching is done on the server, by the server's rules,
     and the client doesn't necessarily know what those rules are
     (even if the end user does and has correctly constructed a
     wildcard within them). For example, "[ab]*.c" would match
     extremely different things on a VMS and a Unix system, since in
     VMS [ab] is a directory specifier and in Unix it's a wildcard!
     
     SFTP solves this by not _having_ a means of wildcard matching -
     the client must request the whole directory, do the matching
     itself by its own rules, and then request specific files.
     Another solution would be to standardise a set of wildcard
     rules, so that the client could validate returned filenames
     against them.

SCP is a _really bad_ protocol.

> I've committed to do an informational RFC on the rcp protocol but keep
> failing to find the time for the last 10% of work to get it out the door;

I hope it treats the above issues carefully! :-)

Cheers,
Simon
-- 
Simon Tatham         "I thought I'd put my foot so far into my mouth I
<anakin%pobox.com@localhost>    wouldn't be able to sit down without standing up."

References:
- Re: A future for the SSH File Transfer Protocol?
  - From: Thor Simon

Prev by Date: Re: A future for the SSH File Transfer Protocol?
Next by Date: Re: A future for the SSH File Transfer Protocol?
Previous by Thread: Re: A future for the SSH File Transfer Protocol?
Next by Thread: Re: A future for the SSH File Transfer Protocol?
Indexes:

Home | Main Index | Thread Index | Old Index