Re: Explicitly call out host in SSH invocation?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Sun, 2017-08-13 at 11:25 +1000, Adam Eijdenberg wrote:
> On Fri, Aug 11, 2017 at 2:05 PM Ben Lindstrom <mouring@xxxxxxxxxxxxxx
> > wrote:
> > Why would they not do:  ssh -p 22  -- hostname  cmd to run
> > 
> > That would ensure that no more parsed options happen.  Seems much
> > more
> > sane idea than the hack they put in.
> 
> Thanks Ben and Jakub for your replies. While I've seen `--` used from
> time to time, I didn't realize it's significance, that `--` is a
> POSIX
> convention to indicate no more option parsing, so I'm glad I asked as
> I've now learned something (how to avoid a new class of "option
> injection" attack that I haven't seen referenced before).
> 
> I agree that would have been a better fix for them - apparently they
> had compatibility reasons for not doing so.

Well, sounds like a hack, but any hostname according to RFC 952 and RFC
1123 can not start with dash.
Only problem can be if you would define some host alias in ssh_config.
But in that case, you would already need to use -- in front of it in
all your scripts/invocations.

Regards,
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux