Re: OpenSSH banner doesnot display multibyte characters like korean

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 10/05/2012 02:39 AM, Darren Tucker wrote:
> On Tue, Sep 25, 2012 at 9:12 PM, balu chandra <balu9463@xxxxxxxxx> wrote:
>> I also found little information inthe changelog on why strnvis() was
>> introduced in input_userauth_banner. Is it added to address any
>> security vulnerability.
> 
> I believe the intent was to prevent a malicious server from sending a
> banner containing a terminal answerback command sequence.  I'm not
> aware of any UTF-8 aware equivalent of strnvis, though (if someone
> knows of one we'll look at using it).
> 

I've asked my colleagues for help with [1] and it comes to that the case you describe might
not be an issue at all.

The banner is sent after a server is authenticated to a client and a client can always suppress
printing a banner using -q option if he doesn't trust it.

And what would stop a malicious server from sending a terminal answerback command sequence
during a session instead in preauth phase?

Is there any relevant discussion related to this problem from past with more specific information?


[1] https://bugzilla.mindrot.org/show_bug.cgi?id=2058


Petr

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux