[Bug 2253] New: No "$@"-like SSH_ORIGINAL_COMMAND leads to escaping, arg-sep and metachar issues
https://bugzilla.mindrot.org/show_bug.cgi?id=2253
Bug ID: 2253
Summary: No "$@"-like SSH_ORIGINAL_COMMAND leads to escaping,
arg-sep and metachar issues
Product: Portable OpenSSH
Version: 6.6p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-b...@mindrot.org
Reporter: ring...@ringerc.id.au
Hi all
I've recently noticed that it's quite tricky to get a remote OpenSSH
command to be invoked with the correct arguments, especially if using a
command= specifier in a public key entry with "$SSH_ORIGINAL_COMMAND".
When ssh is invoked, any argument quoting is consumed by the calling
shell. ssh then passes the command to sshd, where it's stored in
SSH_ORIGINAL_COMMAND. However, no escaping is performed by ssh or sshd
to ensure that shell metacharacters are escaped and whitespace regions
within arguments aren't treated as argument separators.
In a normal shell, one uses "$@", which is the
argument-separation-and-metachar aware version of "$*".
OpenSSH lacks any equivalent. It needs one to make it possible to use
SSH_ORIGINAL_COMMAND securely without making arbitrary rules ("the
command may not contain any shell metachars and spaces within arguments
are not permitted").
It really needs a $SSH_ESCAPED_ORIGINAL_COMMAND .
--
You are receiving this mail because:
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2242] add DisableBanner option to the ssh client command
https://bugzilla.mindrot.org/show_bug.cgi?id=2242 --- Comment #3 from huieying@oracle.com --- Thank you for the evaluation. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1323] ssh-add: add an option to disable passphrase querying (batch mode)
https://bugzilla.mindrot.org/show_bug.cgi?id=1323 Vincent Lefevre changed: What|Removed |Added CC||vincent-open...@vinc17.net --- Comment #2 from Vincent Lefevre --- (In reply to Damien Miller from comment #1) > ssh-add < /dev/null ? The "< /dev/null" has no effect when $DISPLAY is NOT set: $ env -u DISPLAY ssh-add < /dev/null Enter passphrase for /home/vinc17/.ssh/id_rsa: while it avoids that when DISPLAY is set: $ ssh-add < /dev/null ssh_askpass: exec(/usr/bin/ssh-askpass): No such file or directory BTW, I don't know why I get such an error instead of a silent failure (note that $SSH_ASKPASS is not set). "ssh_askpass" is not documented in the ssh-add man page. My machine is under Debian/unstable, with OpenSSH_6.6.1p1. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2226] Bugs intended to be fixed in 6.7
https://bugzilla.mindrot.org/show_bug.cgi?id=2226 Bug 2226 depends on bug 1977, which changed state. Bug 1977 Summary: ProxyCommand seems to no execute shell commands https://bugzilla.mindrot.org/show_bug.cgi?id=1977 What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching the assignee of the bug. You are watching the reporter of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1977] ProxyCommand seems to no execute shell commands
https://bugzilla.mindrot.org/show_bug.cgi?id=1977 Damien Miller changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #11 from Damien Miller --- I've updated the ssh_config.5 manual page to indicate that the process is invoked via "exec". -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2106] When TZ isn't explicitly set ls can give different time stamps
https://bugzilla.mindrot.org/show_bug.cgi?id=2106 Damien Miller changed: What|Removed |Added Blocks|2226| --- Comment #10 from Damien Miller --- remove target until someone who can replicate this tests the fine patch. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2226] Bugs intended to be fixed in 6.7
https://bugzilla.mindrot.org/show_bug.cgi?id=2226 Damien Miller changed: What|Removed |Added Depends on|2106| -- You are receiving this mail because: You are watching the assignee of the bug. You are watching the reporter of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1323] ssh-add: add an option to disable passphrase querying (batch mode)
https://bugzilla.mindrot.org/show_bug.cgi?id=1323 Damien Miller changed: What|Removed |Added CC||d...@mindrot.org --- Comment #1 from Damien Miller --- ssh-add < /dev/null ? -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1544] ssh-keygen -l on known_hosts file does not display hostnames for lines with comments
https://bugzilla.mindrot.org/show_bug.cgi?id=1544 Damien Miller changed: What|Removed |Added Blocks|2226| --- Comment #23 from Damien Miller --- Remove from 6.7 blocker list. I'm not sure yet sure how to do this reliably -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2226] Bugs intended to be fixed in 6.7
https://bugzilla.mindrot.org/show_bug.cgi?id=2226 Damien Miller changed: What|Removed |Added Depends on|1319| -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2226] Bugs intended to be fixed in 6.7
https://bugzilla.mindrot.org/show_bug.cgi?id=2226 Damien Miller changed: What|Removed |Added Depends on|1544| -- You are receiving this mail because: You are watching the reporter of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1319] ssh-keygen does not properly handle multiple keys
https://bugzilla.mindrot.org/show_bug.cgi?id=1319 Damien Miller changed: What|Removed |Added Blocks|2226| --- Comment #18 from Damien Miller --- Remove from 6.7 blocker list. I'm not sure yet sure how to do this reliably -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2226] Bugs intended to be fixed in 6.7
https://bugzilla.mindrot.org/show_bug.cgi?id=2226 Damien Miller changed: What|Removed |Added Depends on||2081 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching the reporter of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2081] extend the parameters to the AuthorizedKeysCommand
https://bugzilla.mindrot.org/show_bug.cgi?id=2081 Damien Miller changed: What|Removed |Added Blocks||2226 --- Comment #15 from Damien Miller --- put this on the todo list for openssh-6.7 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
