command [argument ...] in ssh(1): a footgun

Jochen Bern Jochen.Bern at binect.de
Tue May 30 19:28:21 AEST 2023 

On 27.05.23 00:08, Thorsten Glaser wrote:
> On Fri, 26 May 2023, Mingye Wang (Artoria2e5) wrote:
>> The less modest one is we throw out the "[argument ...]" part altogether. It
> 
> Absolutely not. This will break about all uses of ssh in existence.

You are confusing "ssh(1) does (not) distinguish between 'command' and 
'argument(s)'" with "the 'command' may (not) be understood by the remote 
shell as having arguments". To ssh(1), as it currently stands, "command" 
is meant to be opaque, and omitting "[argument ...]" from the ssh(!) 
manpage would indicate just that. For all we know, the remote shell 
could break the command into parts at underscores, rather than whitespace.

Let's summarize the general situation, though:
-- We cannot reduce the local shell's influence re: quoting to zero as
    that's what the (interactive) user uses to input the (remote) command
    in the first place. (Ignoring the possibility of RemoteCommand in a
    (pseudo?) config file for the moment.)
-- We cannot reduce the remote shell's influence to zero as long as
    sshd(8) uses that to execute the command.
-- If we avoid that and execv() the command directly, we make the UI
    disparate from what the user experiences with an interactive login
    (shell aliases, env vars, ...).
Pick your poison ...

It could be argued that ssh(1) already offers a certain amount of 
*choices* influencing the remote shell (login shell or not, tty or not, 
both usually affecting the dotfiles the remote shell will load), so I 
*could* see a "switch to remote direct execv()" *option* on the (far) 
horizon, but not a change of the default behavior.

(Another *technical* possibility would be to use some sort of encoding 
on the command transmitted from ssh to sshd, and thus make that a fully 
transparent bit stream that can carry NULs into a hypothetical remote 
"shell" that can detect and interpret them, but that would still require 
a protocol extension and I'm not sure how the part of providing such as 
an input through the local shell could be made anything but a pain in 
the forefingers ...)

 From the point of terminology, taking the respective shells out of the 
equation makes the entire thing less of a "secure shell" or "remote 
login" and more like an RPC or distributed queueing system ...

Regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20230530/ce5188d9/attachment.p7s>

More information about the openssh-unix-dev mailing list