Displaying 20 results from an estimated 800 matches similar to: "command [argument ...] in ssh(1): a footgun"
2023 May 26
1
command [argument ...] in ssh(1): a footgun
Hi,
ssh(1) currently affords an argument-passing functionality, but as the
manpage states, all arguments are simply concatenated by space. This
behavior is non-obvious for those reading only the synopsis: one would
expect something that takes argv input to somehow preserve the argument
boundary and not, say, let a semicolon ruin all the fun. This is
probably old news for all of you.
I have
2023 May 26
1
command [argument ...] in ssh(1): a footgun
On Fri, 26 May 2023, Mingye Wang (Artoria2e5) wrote:
> ssh(1) currently affords an argument-passing functionality, but as the manpage
> states, all arguments are simply concatenated by space.
How else would it do that? The arguments are processed by the
shell first then passed as an array of NUL-terminated strings.
> The modest proposal is that we put a giant CAVEATS section in the
2023 May 27
2
command [argument ...] in ssh(1): a footgun
On Sat, May 27, 2023 at 12:08:43AM +0200, Thorsten Glaser <t.glaser at tarent.de> wrote:
> On Fri, 26 May 2023, Mingye Wang (Artoria2e5) wrote:
>
> > ssh(1) currently affords an argument-passing functionality, but as the manpage
> > states, all arguments are simply concatenated by space.
>
> How else would it do that? The arguments are processed by the
> shell
2023 May 27
1
command [argument ...] in ssh(1): a footgun
On 27/05/2023 01:45, Thorsten Glaser wrote:
>> ssh user at host "ls -l a\ b"
> This one, incidentally, sends 'ls -l a b' to the remote shell.
> ssh user at host "ls -l a\\ b"
> has the effect you want; the first backslash is eaten by the
> local shell.
>
Or is it?
$ echo "ls -l a\ b"
ls -l a\ b
$
This is with bash 5.2.15. From the
2023 May 28
1
command [argument ...] in ssh(1): a footgun
On Sat, May 27, 2023 at 02:45:34AM +0200, Thorsten Glaser <t.glaser at tarent.de> wrote:
> On Sat, 27 May 2023, raf wrote:
>
> >So, perhaps this could be added to the existing
> >sentence/paragraph:
> >
> > "so any spaces in individual arguments must be
>
> Must they? No, a single space will do just fine.
They do if you want the receiving shell
2023 May 27
2
command [argument ...] in ssh(1): a footgun
On Sat, 27 May 2023, raf wrote:
>So, perhaps this could be added to the existing
>sentence/paragraph:
>
> "so any spaces in individual arguments must be
Must they? No, a single space will do just fine.
> quoted using the syntax of the destination
> user's login shell".
? keeping in mind the source shell?s quoting as well.
>If an example were needed,
2023 Mar 30
1
ChaCha20 Rekey Frequency
On Wed, 29 Mar 2023, Thorsten Glaser wrote:
> Hi Damien,
>
> >This is what I'm playing with at the moment:
>
> if you?re playing with this currently anyway, shouldn?t?
>
> >+ /*
> >+ * Otherwise, use the RFC4344 s3.2 recommendation of 2**(L/4) blocks
> >+ * before rekeying where L is the blocksize in bits.
> >+ * Most other ciphers have a 128
2023 Aug 06
1
Packet Timing and Data Leaks
Damien Miller wrote:
> On Thu, 3 Aug 2023, Chris Rapier wrote:
>
>> Howdy all,
>>
>> So, one night over beers I was telling a friend how you could use the timing
>> between key presses on a type writer to extract information. Basically, you
>> make some assumptions about the person typing (touch typing at so many words
>> per second and then fuzzing the
2023 Sep 04
2
[patch] ssh-keygen(1): generate Ed25519 keys when invoked without arguments
On 9/4/23 16:43, Joseph S. Testa II wrote:
> I very often see IT personnel and developers simply use the default
> options for ssh-keygen. They just don't care/don't know to care.
> Switching the default to ED25519 would bring the equivalent security
> up from 112-bits to 128-bits (as 2048-bit RSA is equivalent to 112-bits
> of symmetric strength), which would be a nice
2023 Feb 26
1
ssh host keys on cloned virtual machines
On Fri, 24 Feb 2023, Keine Eile wrote:
> does any one of you have a best practice on renewing ssh host keys on cloned
> machines?
Yes: not cloning machines.
There?s too many things to take care of for these. The VM UUID in
libvirt. The systemd machine ID. SSH hostkey and SSL private key.
The RNG seed. The various places where the hostname is written to
during software installation. The
2023 Aug 10
4
RT/Linux SCHED_RR/_FIXED to combat latency?
Good morning!
We're experiencing rather very bad latency spikes on busy Linux
systems, for example if one machine is the jumphost (ssh -J) for a few
hundred connections, while at the same time handles CPU intensive
tasks.
Would RT/Linux SCHED_FIXED or SCHED_RR be of help in such a case, e.g.
put all ssh processes into the SCHED_FIXED scheduling class, with a
priority higher than the
2023 Feb 24
3
ssh host keys on cloned virtual machines
Hi list members,
does any one of you have a best practice on renewing ssh host keys on cloned machines?
I have a customer who never thought about that, while cloning all VMs from one template. Now all machines have the exact same host key.
My approach would be to store a machines MAC address(es). Then when starting the sshd.service, check if this MAC has changed. If so, remove all host keys, let
2023 May 29
1
command [argument ...] in ssh(1): a footgun
On Mon, May 29, 2023 at 06:35:34PM +0000, Peter Stuge <peter at stuge.se> wrote:
> raf wrote:
> > Not knowing the details of each user's login shell is
> > precisely the reason that ssh couldn't ever do the
> > quoting itself.
>
> The footgun is unrelated to shells.
>
> The SSH_MSG_CHANNEL_REQUEST protocol message for "exec" (RFC 4254)
2023 Feb 28
1
ssh host keys on cloned virtual machines
On Sun, Feb 26, 2023 at 2:51?PM Thorsten Glaser <t.glaser at tarent.de> wrote:
>
> On Fri, 24 Feb 2023, Keine Eile wrote:
>
> > does any one of you have a best practice on renewing ssh host keys on cloned
> > machines?
>
> Yes: not cloning machines.
Good luck with *that*. Building VM's from media is a far, far too
lengthy process for production deployment,
2020 Aug 03
6
Deprecation of scp protocol and improving sftp client
I conjecture that only few of the existing use cases rely on remote expansion.
In any case (no pun intended), IMHO it would be better to break a few of the current use cases but leave the majority functional - than kill scp for all.
Regards,
Uri
> On Aug 3, 2020, at 02:50, Jakub Jelen <jjelen at redhat.com> wrote:
>
> ?On Sat, 2020-08-01 at 00:17 +0000, Blumenthal, Uri - 0553
2014 Dec 03
4
vesamenu back to text before booting
On Tue, 2 Dec 2014, H. Peter Anvin wrote:
> This is the default unless the "quiet" option is set.
Hmm.
tglaser at luna:/srv/tftp $ fgrep -ri quiet .
Binary file ./hdt.c32 matches
Binary file ./ldlinux.c32 matches
Binary file ./vmlinuz matches
Binary file ./linux.c32 matches
Binary file ./debian-installer/jessie/amd64/linux matches
Binary file ./debian-installer/jessie/i386/linux
2023 Mar 29
2
ChaCha20 Rekey Frequency
On Wed, 29 Mar 2023, Chris Rapier wrote:
> I was wondering if there was something specific to the internal chacha20
> cipher as opposed to OpenSSL implementation.
>
> I can't just change the block size because it breaks compatibility. I can do
> something like as a hack (though it would probably be better to do it with the
> compat function):
>
> if
2014 Dec 02
2
vesamenu back to text before booting
Hi,
I still have the question: when I have an environment that uses
vesamenu, for example on PXE, how do I configure it so that, for
some of the menu entries, it switches back to the text mode (03h)
before handing off to the next bootloader / kernel?
Thanks,
//mirabilos
--
tarent solutions GmbH
Rochusstra?e 2-4, D-53123 Bonn ? http://www.tarent.de/
Tel: +49 228 54881-393 ? Fax: +49 228
2015 Jan 21
2
PXE Error Reporting
On Wed, 21 Jan 2015, Andreas Gruenbacher wrote:
> Not really. As a security requirement, if this even really is anyone's
> security requirement, this is pointless -- the ErrCode is set to 0 ("Not
Still, requirements like this d?o? exist in the real world,
dismissing them is a, I quote, stupid idea. I?d suggest
to please wake up.
bye,
//mirabilos (not speaking for his employer
2020 Jan 12
2
Why are the arguments supplied for the command run through ssh interpreted by shell before they are passed to the command on the server side?
On Sun, 12 Jan 2020, Yuri wrote:
> This was English, not German, BTW.
For some values of English, perhaps.
> You would lose the ability to redirect I/O in an immediate way, but you would
> always be able to run a shell command like "/bin/sh" "-c" "any-command | tee
> cmd.log | process-further" which would regain the ability to do everything
> that a