AcceptEnv LANG LC_* vs available locales

Demi Marie Obenour demiobenour at gmail.com
Fri Apr 29 10:29:24 AEST 2022


On 4/27/22 05:40, Ingo Schwarze wrote:
> Hi Demi,
> 
> Demi Marie Obenour wrote on Tue, Apr 26, 2022 at 09:12:07PM -0400:
>> On 4/25/22 08:23, Ingo Schwarze wrote:
> 
>>> As discussed in the above writeup, the only way to make ssh(1)
>>> connections safe it to manually make sure, *before connecting*,
>>> that the same locale is set on both sides - ideally UTF-8.
> 
>> It is also safe for the locale to be different, so long as the
>> character encodings match.  For instance, all UTF-8 locales are
>> compatible.
> 
> Yes, that is what i meant.  In OpenBSD, we are used to the deliberate
> decision that the C library ignores all aspects of the locale except
> the character encoding, so the locale and the character encoding are
> one and the same and your statement is obvious for us.  Of course,
> your statement is also true on arbitrary other operating systems, even
> if they do take other parts of the locale into account.

Off-topic: Why did OpenBSD make this decision?  In particular,
LC_MESSAGES seems to be essential to internationalization support,
without being very problematic otherwise.

Also, is it safe if the server uses the C locale (LC_ALL=C) and the
client uses UTF-8?

> Thanks for making this aspect explicit.  You are right that it might
> not be obvious for users of other systems.

You’re welcome.

> That said, on non-OpenBSD systems, if the locale used by a program does
> not match watch the user thinks, the *semantics* of the program may still
> screw up horribly, even if the character encoding matches.  For example,
> consider user input of floating point numbers with LC_NUMERIC set to a
> cultural convention the user isn't aware of.  But such issues are
> only loose related to ssh(1) and to terminal security.

When it comes to terminal security, another approach is to use
a transient tmux(1) pane or terminal window that is closed once
the session is complete.  This assumes that the mismatch cannot be
exploited for code execution, but I would be highly surprised if it
could be, especially with the client in UTF-8 mode.

-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xB288B55FFF9C22C1.asc
Type: application/pgp-keys
Size: 4885 bytes
Desc: OpenPGP public key
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20220428/4b34c838/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20220428/4b34c838/attachment-0001.asc>


More information about the openssh-unix-dev mailing list