IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Do we have standards available for scp ??



>> Frankly, it would be also good to document RCP and to have a lengthy
>> description of why RCP is a bad idea operationally (e.g. list of
>> security risks with RCP) and even suggest using SCP instead (to
>> reduce security risks).
>
>But SCP == RCP (the protocols), so either _both_ are secure
>or _none_.

well...yes and no.  they are almost the same, but there are also
places where they differ radically, depending on your point of view.
for example, in the source() routine of my netbsd-current rcp:

                if (pflag) {
                        /*
                         * Make it compatible with possible future
                         * versions expecting microseconds.
                         */
                        (void)snprintf(buf, sizeof(buf), "T%ld %ld %ld %ld\n",
                            (long)stb.st_mtimespec.tv_sec,
                            (long)stb.st_mtimespec.tv_nsec / 1000,
                            (long)stb.st_atimespec.tv_sec,
                            (long)stb.st_atimespec.tv_nsec / 1000);
                ...
                (void)snprintf(buf, sizeof(buf), "C%04o %lld %s\n",
                    stb.st_mode & RCPMODEMASK, (long long)stb.st_size, last);

whereas in the same routine in ssh-1.2.32 (as an example):

                if (pflag) {
                        /*
                         * Make it compatible with possible future
                         * versions expecting microseconds.
                         */
                        (void)snprintf(buf, sizeof(buf), "T%lu 0 %lu 0\n",
                                      (unsigned long)stb.st_mtime, 
                                      (unsigned long)stb.st_atime);
                ...
                (void)snprintf(buf, sizeof(buf), "C%04o %lu %s\n",
                              (unsigned int)(stb.st_mode & FILEMODEMASK), 
                              (unsigned long)stb.st_size, 
                              last);

the size of longs can differ between cpu architectures, and a long
long is not necessarily the same size as a long in all places either.
as protocols go, it works, but it appears to be looking for trouble.

>> That's a bit outside this WG's charter
>> (potentially, subject to WG Chair decision), whereas documenting SCP
>> sufficiently to write an interoperable implementation from the RFC
>> would seem clearly within this WG's charter (also subject to WG Chair
>> decision).
>
>Well, documenting SCP means documenting RCP.

otoh, an existing document covering rcp would make the scp document a
lot easier.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior%daemon.org@localhost             * "ah!  i see you have the internet
twofsonet%graffiti.com@localhost (Andrew Brown)                that goes *ping*!"
andrew%crossbar.com@localhost       * "information is power -- share the wealth."



Home | Main Index | Thread Index | Old Index