command [argument ...] in ssh(1): a footgun

raf ssh at raf.org
Tue May 30 09:52:59 AEST 2023


On Mon, May 29, 2023 at 06:35:34PM +0000, Peter Stuge <peter at stuge.se> wrote:

> raf wrote:
> > Not knowing the details of each user's login shell is
> > precisely the reason that ssh couldn't ever do the
> > quoting itself.
> 
> The footgun is unrelated to shells.
> 
> The SSH_MSG_CHANNEL_REQUEST protocol message for "exec" (RFC 4254)
> channels which are used to run a single remote command contains
> exactly one string for the command.
> 
> sshd (see bottom of do_child() in session.c) runs that command string as:
> 
> remote_users_shell -c command

I'm aware of that. That's why I said what I said.
Sorry, but I don't understand what point you are making.

> //Peter


More information about the openssh-unix-dev mailing list