command [argument ...] in ssh(1): a footgun

Brian Candler b.candler at pobox.com
Wed May 31 16:46:49 AEST 2023 

On 31/05/2023 05:14, raf wrote:
> Actually, I'm trying to find the mention in the manpage
> that started this and can't find it. It doesn't mention
> [arguments...] after [command] like I think the OP
> asked to have removed. I must be misremembering. The
> synopsis ends with: "[command]". And the DESCRIPTION
> section (paragraph 3) says:
>
>    If a command is specified, it is executed on the
>    remote host instead of a login shell.
>
> I can't see where it says that arguments are joined
> with a space. Maybe I'm reading it wrong.

I'm on macOS with ssh installed from homebrew.

$ ssh -V
OpenSSH_9.2p1, OpenSSL 1.1.1t  7 Feb 2023

"man ssh" starts as follows:

SSH(1)                            General Commands 
Manual                           SSH(1)

NAME
      ssh – OpenSSH remote login client

SYNOPSIS
      ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b 
bind_address] [-c cipher_spec]
          [-D [bind_address:]port] [-E log_file] [-e escape_char] [-F 
configfile]
          [-I pkcs11] [-i identity_file] [-J destination] [-L address] 
[-l login_name]
          [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-Q 
query_option] [-R address]
          [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] 
destination
*[command [argument ...]]*

DESCRIPTION
      ssh (SSH client) is a program for logging into a remote machine 
and for executing
      commands on a remote machine.  It is intended to provide secure 
encrypted
      communications between two untrusted hosts over an insecure 
network.  X11
      connections, arbitrary TCP ports and UNIX-domain sockets can also 
be forwarded over
      the secure channel.

      ssh connects and logs into the specified destination, which may be 
specified as
      either [user@]hostname or a URI of the form 
ssh://[user@]hostname[:port].  The user
      must prove their identity to the remote machine using one of 
several methods (see
      below).

      If a command is specified, it will be executed on the remote host 
instead of a login
      shell. *A complete command line may be specified as command, or it 
may have**
**     additional arguments.  If supplied, the arguments will be 
appended to the command,**
**     separated by spaces, before it is sent to the server to be executed.*

...

This agrees with 
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ssh.1?rev=1.433&content-type=text/x-cvsweb-markup

More information about the openssh-unix-dev mailing list