Re: AcceptEnv LANG LC_* vs available locales

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, 2022-05-02 at 21:59 +0200, Carson Gaspar wrote:
> Fundamentally, you're asking for a firewall for your terminal because
> you can't / won't run a secure client.

I guess so ^^ ... but I haven't said whether or not I personally use
tmux - but I guess many people using ssh don't.

The main goal here should be to protect the average user, who has
likely no idea about possible subtle security issues with terminal
escape sequences.


> but it
> neither should nor needs to be part of OpenSSH. It's just a PTY/TTY 
> proxy, and would work just fine as a stand-alone app.

Well, ssh is the client, that would actually "introduce" any unsafe
escape sequences to the system.

So it seems very well to be the appropriate location where such
filtering would be done, just to make sure that it is.

You also don't implement a firewall in the browser, the mail user
agent, etc. - you implement one centrally at the OS level.


> If you really want 
> to integrate it, a better target would be something like screen or
> tmux, 
> so it protects against all malicious terminal apps.

tmux ain't a firewall either.

And there may be many valid use cases (tmux without any remote
terminals) where people may want such escape sequences like OSC52 going
through.
IMO it's typically the "from remote" property that makes things really
critical.


Cheers,
Chris.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux