On Mon, 2022-05-02 at 21:59 +0200, Carson Gaspar wrote: > Fundamentally, you're asking for a firewall for your terminal because > you can't / won't run a secure client. I guess so ^^ ... but I haven't said whether or not I personally use tmux - but I guess many people using ssh don't. The main goal here should be to protect the average user, who has likely no idea about possible subtle security issues with terminal escape sequences. > but it > neither should nor needs to be part of OpenSSH. It's just a PTY/TTY > proxy, and would work just fine as a stand-alone app. Well, ssh is the client, that would actually "introduce" any unsafe escape sequences to the system. So it seems very well to be the appropriate location where such filtering would be done, just to make sure that it is. You also don't implement a firewall in the browser, the mail user agent, etc. - you implement one centrally at the OS level. > If you really want > to integrate it, a better target would be something like screen or > tmux, > so it protects against all malicious terminal apps. tmux ain't a firewall either. And there may be many valid use cases (tmux without any remote terminals) where people may want such escape sequences like OSC52 going through. IMO it's typically the "from remote" property that makes things really critical. Cheers, Chris. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
