AcceptEnv LANG LC_* vs available locales

Christoph Anton Mitterer calestyo at
Tue May 3 08:14:37 AEST 2022

On Mon, 2022-05-02 at 21:59 +0200, Carson Gaspar wrote:
> Fundamentally, you're asking for a firewall for your terminal because
> you can't / won't run a secure client.

I guess so ^^ ... but I haven't said whether or not I personally use
tmux - but I guess many people using ssh don't.

The main goal here should be to protect the average user, who has
likely no idea about possible subtle security issues with terminal
escape sequences.

> but it
> neither should nor needs to be part of OpenSSH. It's just a PTY/TTY 
> proxy, and would work just fine as a stand-alone app.

Well, ssh is the client, that would actually "introduce" any unsafe
escape sequences to the system.

So it seems very well to be the appropriate location where such
filtering would be done, just to make sure that it is.

You also don't implement a firewall in the browser, the mail user
agent, etc. - you implement one centrally at the OS level.

> If you really want 
> to integrate it, a better target would be something like screen or
> tmux, 
> so it protects against all malicious terminal apps.

tmux ain't a firewall either.

And there may be many valid use cases (tmux without any remote
terminals) where people may want such escape sequences like OSC52 going
IMO it's typically the "from remote" property that makes things really


More information about the openssh-unix-dev mailing list