On Sun, 2017-08-13 at 11:25 +1000, Adam Eijdenberg wrote: > On Fri, Aug 11, 2017 at 2:05 PM Ben Lindstrom <mouring@xxxxxxxxxxxxxx > > wrote: > > Why would they not do: ssh -p 22 -- hostname cmd to run > > > > That would ensure that no more parsed options happen. Seems much > > more > > sane idea than the hack they put in. > > Thanks Ben and Jakub for your replies. While I've seen `--` used from > time to time, I didn't realize it's significance, that `--` is a > POSIX > convention to indicate no more option parsing, so I'm glad I asked as > I've now learned something (how to avoid a new class of "option > injection" attack that I haven't seen referenced before). > > I agree that would have been a better fix for them - apparently they > had compatibility reasons for not doing so. Well, sounds like a hack, but any hostname according to RFC 952 and RFC 1123 can not start with dash. Only problem can be if you would define some host alias in ssh_config. But in that case, you would already need to use -- in front of it in all your scripts/invocations. Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev