[Bug 2283] New: option to execute command without shell

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Oct 2 11:02:36 EST 2014


https://bugzilla.mindrot.org/show_bug.cgi?id=2283

            Bug ID: 2283
           Summary: option to execute command without shell
           Product: Portable OpenSSH
           Version: 6.6p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: pabs3 at bonedaddy.net

ssh has always been confusing when it comes to quoting because it runs
commands on the remote side with the system shell. It would be nice if
there were a mode where commands could be run using fork()+exec() or
similar, without invoking the shell. This would help avoid quoting
confusion, shell metacharacter attacks and things like shellshock.

This appears to require a protocol extension to work since RFC 4254
specifies just a string to be passed with exec:

https://tools.ietf.org/html/rfc4254#section-6.5

There could be:

A client-side option to turn it on.

A server-side option (sshd_config, authorized_keys) to allow it.

A server-side option (sshd_config, authorized_keys) to disallow
in-shell commands and interactive shells.

A way to pass the original command requested by the user to the forced
command that uses NUL characters to separate arguments instead of
spaces. Maybe ORIGINAL_SSH_COMMAND_N environment variables would be the
way to do it.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list