So apparently OpenSSH accepts but ignores --, i.e. it still parses options after the --...
-
-
-
Replying to @canadianbryan @RichFelker
$ ssh -V -- OpenSSH_7.5, LibreSSL 2.6.0 $ ssh -- -V ssh: Could not resolve hostname -v: no address associated with name
3 replies 1 retweet 1 like -
Replying to @canadianbryan @RichFelker
i didnt think getopt semantics were so unknown
1 reply 2 retweets 1 like -
Replying to @dlgwynne @canadianbryan
For some reason they're not being honored on the linux openssh builds several of us have tested just now...
1 reply 0 retweets 0 likes -
OpenSSH accepts options after the hostname for legacy reasons, so you might be seeing that.
2 replies 0 retweets 1 like -
But it should not do that if -- was used. If it does, that's a bug.
1 reply 0 retweets 1 like -
It's probably not an issue, any trailing space characters would be removed by proper hostname sanitization before arg parsing happens again.
2 replies 0 retweets 0 likes -
Consider usage case where user controls command sent to server & has permissions to exec arbitrary stuff on server but not on client.
1 reply 0 retweets 0 likes -
Replying to @RichFelker @canadianbryan and
ssh's ignoring the -- allows them to specify a remote command string that actually causes code exec on the client.
1 reply 0 retweets 0 likes
Might be an unusual/unlikely situation but shows violation of principle of least surprise in a way that compromises expected security props.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.