AcceptEnv LANG LC_* vs available locales
Christoph Anton Mitterer
calestyo at scientia.org
Tue May 3 08:14:37 AEST 2022
On Mon, 2022-05-02 at 21:59 +0200, Carson Gaspar wrote:
> Fundamentally, you're asking for a firewall for your terminal because
> you can't / won't run a secure client.
I guess so ^^ ... but I haven't said whether or not I personally use
tmux - but I guess many people using ssh don't.
The main goal here should be to protect the average user, who has
likely no idea about possible subtle security issues with terminal
escape sequences.
> but it
> neither should nor needs to be part of OpenSSH. It's just a PTY/TTY
> proxy, and would work just fine as a stand-alone app.
Well, ssh is the client, that would actually "introduce" any unsafe
escape sequences to the system.
So it seems very well to be the appropriate location where such
filtering would be done, just to make sure that it is.
You also don't implement a firewall in the browser, the mail user
agent, etc. - you implement one centrally at the OS level.
> If you really want
> to integrate it, a better target would be something like screen or
> tmux,
> so it protects against all malicious terminal apps.
tmux ain't a firewall either.
And there may be many valid use cases (tmux without any remote
terminals) where people may want such escape sequences like OSC52 going
through.
IMO it's typically the "from remote" property that makes things really
critical.
Cheers,
Chris.
More information about the openssh-unix-dev
mailing list