On 5/2/2022 9:05 PM, Christoph Anton Mitterer wrote:> Can you guys imagine to extend ssh, so that when output is connected to > a terminal, it filters escape sequence (to a varying degree, depending > on some configuration setting)?Fundamentally, you're asking for a firewall for your terminal because you can't / won't run a secure client. Feel free to write one, but it neither should nor needs to be part of OpenSSH. It's just a PTY/TTY proxy, and would work just fine as a stand-alone app. If you really want to integrate it, a better target would be something like screen or tmux, so it protects against all malicious terminal apps. -- Carson
On 5/2/22 15:59, Carson Gaspar wrote:> > > On 5/2/2022 9:05 PM, Christoph Anton Mitterer wrote: > >> Can you guys imagine to extend ssh, so that when output is connected to >> a terminal, it filters escape sequence (to a varying degree, depending >> on some configuration setting)? > > Fundamentally, you're asking for a firewall for your terminal because > you can't / won't run a secure client. Feel free to write one, but it > neither should nor needs to be part of OpenSSH. It's just a PTY/TTY > proxy, and would work just fine as a stand-alone app. If you really want > to integrate it, a better target would be something like screen or tmux, > so it protects against all malicious terminal apps.tmux to be specific; I believe screen is unmaintained. -- Sincerely, Demi Marie Obenour (she/her/hers) -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_0xB288B55FFF9C22C1.asc Type: application/pgp-keys Size: 4885 bytes Desc: OpenPGP public key URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20220502/de7dd027/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20220502/de7dd027/attachment.asc>
On Mon, 2022-05-02 at 21:59 +0200, Carson Gaspar wrote:> Fundamentally, you're asking for a firewall for your terminal because > you can't / won't run a secure client.I guess so ^^ ... but I haven't said whether or not I personally use tmux - but I guess many people using ssh don't. The main goal here should be to protect the average user, who has likely no idea about possible subtle security issues with terminal escape sequences.> but it > neither should nor needs to be part of OpenSSH. It's just a PTY/TTY > proxy, and would work just fine as a stand-alone app.Well, ssh is the client, that would actually "introduce" any unsafe escape sequences to the system. So it seems very well to be the appropriate location where such filtering would be done, just to make sure that it is. You also don't implement a firewall in the browser, the mail user agent, etc. - you implement one centrally at the OS level.> If you really want > to integrate it, a better target would be something like screen or > tmux, > so it protects against all malicious terminal apps.tmux ain't a firewall either. And there may be many valid use cases (tmux without any remote terminals) where people may want such escape sequences like OSC52 going through. IMO it's typically the "from remote" property that makes things really critical. Cheers, Chris.