On Fri, Aug 11, 2017 at 2:05 PM Ben Lindstrom <mouring@xxxxxxxxxxxxxx> wrote: > Why would they not do: ssh -p 22 -- hostname cmd to run > > That would ensure that no more parsed options happen. Seems much more > sane idea than the hack they put in. Thanks Ben and Jakub for your replies. While I've seen `--` used from time to time, I didn't realize it's significance, that `--` is a POSIX convention to indicate no more option parsing, so I'm glad I asked as I've now learned something (how to avoid a new class of "option injection" attack that I haven't seen referenced before). I agree that would have been a better fix for them - apparently they had compatibility reasons for not doing so. Cheers, Adam _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
