Explicitly call out host in SSH invocation?

Adam Eijdenberg adam at continusec.com
Sun Aug 13 11:25:00 AEST 2017

On Fri, Aug 11, 2017 at 2:05 PM Ben Lindstrom <mouring at offwriting.org> wrote:
> Why would they not do:  ssh -p 22  -- hostname  cmd to run
> That would ensure that no more parsed options happen.  Seems much more
> sane idea than the hack they put in.

Thanks Ben and Jakub for your replies. While I've seen `--` used from
time to time, I didn't realize it's significance, that `--` is a POSIX
convention to indicate no more option parsing, so I'm glad I asked as
I've now learned something (how to avoid a new class of "option
injection" attack that I haven't seen referenced before).

I agree that would have been a better fix for them - apparently they
had compatibility reasons for not doing so.

Cheers, Adam

More information about the openssh-unix-dev mailing list