On Sun, 2017-08-13 at 11:25 +1000, Adam Eijdenberg
wrote:> On Fri, Aug 11, 2017 at 2:05 PM Ben Lindstrom <mouring at offwriting.org
> > wrote:
> > Why would they not do: ssh -p 22 -- hostname cmd to run
> >
> > That would ensure that no more parsed options happen. Seems much
> > more
> > sane idea than the hack they put in.
>
> Thanks Ben and Jakub for your replies. While I've seen `--` used from
> time to time, I didn't realize it's significance, that `--` is a
> POSIX
> convention to indicate no more option parsing, so I'm glad I asked as
> I've now learned something (how to avoid a new class of "option
> injection" attack that I haven't seen referenced before).
>
> I agree that would have been a better fix for them - apparently they
> had compatibility reasons for not doing so.
Well, sounds like a hack, but any hostname according to RFC 952 and RFC
1123 can not start with dash.
Only problem can be if you would define some host alias in ssh_config.
But in that case, you would already need to use -- in front of it in
all your scripts/invocations.
Regards,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.