Thursday, June 28, 2012

SFTP (and scp) Gripe

SFTP and SCP are part of the SSH family of tools.  These are specified for enhanced security and are pretty good at it.  They are also only recently being migrated to because of a perceived implementation difficulty.

One major difficulty is that these tools are designed to ensure that you, the client, do NOT store usernames and passwords in unsecured files such as .netrc or shell scripts.  That's an indisputably good thing.  The problem is that the morons implementing server side SFTP at uncountable numbers of vendors, EDI clearinghouses, insurance companies, etc. seem to be incapable of grasping the notion of key based authentication.  SSH requires this.  If your SSH doesn't (there are many, almost all Windows based, if that tells you anything) then your SSH isn't in spec and may be insecure in other ways as well.

What these guys (the implementers at the various vendors mentioned) are doing is a) trading the minor inconvenience of key management for the major inconvenience of creating insecure workarounds to the ssh specification, b) foisting that inconvenience off on you, the client, and c) ultimately dropping responsibility for the insecurely stored credentials squarely in your lap.  Go figure.

So, fine, I don't care that I have to work a little extra to make this happen, I'm used to it.  But this complete disregard for the years of thought that went into the SSH framework, the casual disregard of the inherent security issues with storing passwords in the clear, it's a little hard to stomach.

But then, it's my server that has the credentials stored insecurely - not theirs.