ProxyCommand's argument escaping

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



When using a ProxyCommand, it appears that the arguments to it are
passed in an unsafe manner:

% ssh -o ProxyCommand='nc %h %p' '$(not found)'
zsh:1: command not found: not
nc: you must specify the address/port couple of the remote endpoint
ssh_exchange_identification: Connection closed by remote host

This is not zsh specific (e.g. it happens with bash).

One can resolve the immediate problem (which it turned out wasn't even
the problem I was thinking of!) by attempting to quote %h:

% ssh -o ProxyCommand='nc '\''%h'\'' %p' '$(not found)'
nc: forward host lookup failed for remote endpoint $(not found): Name or
service not known

.. but obviously this will fail if someone is motivated:
% ssh -o ProxyCommand='nc '\''%h'\'' %p' \''$(not found)'\'

This doesn't seem ideal, but is probably not an issue in practice.
Maybe it allows motivated users who have permission to run ssh as other
users to execute code as them?  Badly configured sudo rsync backup jobs?

I noticed attempting to use an IPv6 literal with its surrounding
square-brackets ([::1]), which isn't allowed anyway, and my zsh config
rejects due to `setopt nomatch`.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux