They sabotaged the SFTP standardization process. They are "embracing and extending" as they please, and leveraging their market share in unilateral decisions that ignore the needs of other implementations.
Their quality is also not as awesome as their contributors sometimes seem to believe. They seem to be doing better recently but historically, they have a nice long list of security issues. This is not to mention bugs that are just bugs, and require workarounds. Just the latest of these is an SFTP data stream corruption if there are commands producing output in
.bashrc; because you know, it makes sense for OpenSSH to launch their SFTP subsystem in a way that runs
.bashrc; and it makes sense to send garbage output from
.bashrclike it was part of the SFTP session to the client. ;)
So that's one workaround we're adding in our next Bitvise SSH Client version.
But this is not to say that OpenSSH are the worst. That would be certainly unfair. There are other implementations (recently, coughciscocough; years ago, coughipswitchcough) which have given us much more trouble. OpenSSH at least does care about fixing stuff that's unambiguously broken, which is more than I can say for some vendors.
So my beef with OpenSSH isn't the quality. It's how they pull the same crap Internet Explorer did; but no one blinks an eye. They avoid responsibility and custodianship that would be expected of a private project with their market share, because they're held to a different standard.
A decade ago, they made a public announcement that they're not going to support SFTP versions higher than version 3: for the simple reason that their interest is BSD and Linux, and they just don't care to implement extensions needed by other platforms. Since they're the major implementation, this stopped SFTP standardization in its tracks. We therefore now have SFTP version 3, implemented by OpenSSH; and then we have SFTP version 6, implemented by most reasonable people.
Because of this, we also remain without an SFTP RFC. Instead, de facto standards are past drafts:
- draft-ietf-secsh-filexfer-02: SFTP v3
- draft-ietf-secsh-filexfer-04: SFTP v4
- draft-ietf-secsh-filexfer-13: SFTP v6
- draft-galb-filexfer-extensions-00: SFTP v6 extensions
Just the latest instance that I found today is OpenSSH's decision to not implement the
space-availableextension in SFTPv6; and instead to implement
Fine. That's okay. We'll implement
firstname.lastname@example.org accommodate a client that expects it. But geez, if only OpenSSH didn't act quite like Microsoft, fifteen years ago.
"We are a world unto ourselves, self-sufficient. We do not care for the needs of others."