So apparently OpenSSH accepts but ignores --, i.e. it still parses options after the --...
-
-
It's probably not an issue, any trailing space characters would be removed by proper hostname sanitization before arg parsing happens again.
-
Consider usage case where user controls command sent to server & has permissions to exec arbitrary stuff on server but not on client.
-
ssh's ignoring the -- allows them to specify a remote command string that actually causes code exec on the client.
-
Might be an unusual/unlikely situation but shows violation of principle of least surprise in a way that compromises expected security props.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.