Explicitly call out host in SSH invocation?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



I came across this commit to Git today:
https://github.com/git/git/commit/820d7650cc670d3e4195aad3a5343158c316e8fa

which is part of a mitigation for a security bug they've found whereby
they are constructing a "ssh" command based on user input, and are
able to trick SSH into processing what should be a hostname as an
option instead, if the user manages to trick give a hostname that
begins with "-".

It struck me that while ssh has options such as "-p" that allow
explicit specification of a port, and "-l" for the login name, I don't
see an equivalent to specify the host explicitly - rather it's parsed
from the first positional argument.

Has there been discussion as to whether it would be worthwhile adding
such a flag so that a host (to connect to) could be passed more
explicitly to ssh? (would need some thinking about how that would
interact with the other positional arguments...)

(I must admit I haven't studied the rest of the Git bug - before I
read their commit my assumption was that this was a more typical
string concatenation induced security bug. Once I read that commit I
found this particular pattern of bug quite interesting, as they do in
fact appear to be passing an array of arguments to SSH, they just
don't have any way to explicitly call an argument a hostname)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux