Re: Explicitly call out host in SSH invocation?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, 2017-08-11 at 10:07 +1000, Adam Eijdenberg wrote:
> I came across this commit to Git today:
> https://github.com/git/git/commit/820d7650cc670d3e4195aad3a5343158c31
> 6e8fa
> 
> which is part of a mitigation for a security bug they've found
> whereby
> they are constructing a "ssh" command based on user input, and are
> able to trick SSH into processing what should be a hostname as an
> option instead, if the user manages to trick give a hostname that
> begins with "-".
> 
> It struck me that while ssh has options such as "-p" that allow
> explicit specification of a port, and "-l" for the login name, I
> don't
> see an equivalent to specify the host explicitly - rather it's parsed
> from the first positional argument.

There is always option to pass it to the argument of HostName option.
But you will still have to use some bogus hostname for positional
argument anyway. For example

  ssh -oHostName="example.com" bogus

It is not nice, but it should do the job for such cases and avoid
parsing it as a different argument.

Regards,

-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux