Hi Guilhem, Thanks for pointing that out, I’ve made -sjk fail rather than be dropped silently.
I’ve applied the other patch to avoid MOTD when there’s a command. Thanks, Matt > On Wed 14/10/2015, at 3:13 am, Guilhem Moulin <guil...@fripost.org> wrote: > > Hi, > > It's fine not to implement bundling in dropbear's option parsing > function (svr-runopts.c's svr_getopts), but it should at least croak if > argv[i][2] != '\0'. For instance > > dropbear -rdropbear.key -p127.0.0.1:2222 -sjk > > should either fail, or be parsed as > > dropbear -r dropbear.key -p 127.0.0.1:2222 -s -j -k > > if bundling is allowed. > > > This might have security implications, as the current parsing mechanism > might make a user think that passing ‘-sjk’ disables port forwarding, > which is not the case (the trailing ‘jk’ is ignored). > > Cheers, > -- > Guilhem.