Explicitly call out host in SSH invocation?
Adam Eijdenberg
adam at continusec.com
Sun Aug 13 11:25:00 AEST 2017
On Fri, Aug 11, 2017 at 2:05 PM Ben Lindstrom <mouring at offwriting.org> wrote:
> Why would they not do: ssh -p 22 -- hostname cmd to run
>
> That would ensure that no more parsed options happen. Seems much more
> sane idea than the hack they put in.
Thanks Ben and Jakub for your replies. While I've seen `--` used from
time to time, I didn't realize it's significance, that `--` is a POSIX
convention to indicate no more option parsing, so I'm glad I asked as
I've now learned something (how to avoid a new class of "option
injection" attack that I haven't seen referenced before).
I agree that would have been a better fix for them - apparently they
had compatibility reasons for not doing so.
Cheers, Adam
More information about the openssh-unix-dev
mailing list