OpenSSH banner doesnot display multibyte characters like korean

Petr Lautrbach plautrba at redhat.com
Fri Jul 18 00:04:16 EST 2014


On 10/05/2012 02:39 AM, Darren Tucker wrote:
> On Tue, Sep 25, 2012 at 9:12 PM, balu chandra <balu9463 at gmail.com> wrote:
>> I also found little information inthe changelog on why strnvis() was
>> introduced in input_userauth_banner. Is it added to address any
>> security vulnerability.
> 
> I believe the intent was to prevent a malicious server from sending a
> banner containing a terminal answerback command sequence.  I'm not
> aware of any UTF-8 aware equivalent of strnvis, though (if someone
> knows of one we'll look at using it).
> 

I've asked my colleagues for help with [1] and it comes to that the case you describe might
not be an issue at all.

The banner is sent after a server is authenticated to a client and a client can always suppress
printing a banner using -q option if he doesn't trust it.

And what would stop a malicious server from sending a terminal answerback command sequence
during a session instead in preauth phase?

Is there any relevant discussion related to this problem from past with more specific information?


[1] https://bugzilla.mindrot.org/show_bug.cgi?id=2058


Petr

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140717/3a427238/attachment-0001.bin>


More information about the openssh-unix-dev mailing list