Right. Also you may have to reconfigure some firewalls to use scp.

Typically, a firewall allows outbound connections without needing an explicit entry for the protocol, and in the case of magic wormhole, both sides are an outbound connection. So it passes right through.

If you've got security-minded folk managing that sort of thing for you, it's possible that magic wormhole will upset them for this reason. More for policy/compliance reasons than actual security ones.

Both problems can be worked around by having a third, general-purpose host where both source/destination hosts can scp to/from. Not quite as straightforward because you have to copy twice and do it from both sides, but has the benefit of not having to install bespoke software.

> Both problems can be worked around by having a third, general-purpose host where both source/destination hosts can scp to/from.

Yup it's what I do, that 3rd computer having a fixed IP. Conveniently that computer can also keep a copy of the file(s).

Linux/BSDs/OS X (which is kinda a Unx too) all come stock with scp* and I don't really use Windows, so I'm a happy camper.

I think you could use an ssh tunnel between the intermediary and the destination such that the scp connection from the source makes it all the way through in one go, rather than leaving files on the intermediary. You'd be forwarding to the ssh port via ssh, so it would be a confusing bit of sshception.

If I tried to actually come up with the actual commands for this, I'm sure I'd burn a whole afternoon on fiddling with it.

This either requires the destination to accept inbound connections, or you'd need a permanent SSH tunnel, both of which you'd probably want to avoid.