https://bugzilla.mindrot.org/show_bug.cgi?id=2283
Bug ID: 2283
Summary: option to execute command without shell
Product: Portable OpenSSH
Version: 6.6p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: [email protected]
Reporter: [email protected]
ssh has always been confusing when it comes to quoting because it runs
commands on the remote side with the system shell. It would be nice if
there were a mode where commands could be run using fork()+exec() or
similar, without invoking the shell. This would help avoid quoting
confusion, shell metacharacter attacks and things like shellshock.
This appears to require a protocol extension to work since RFC 4254
specifies just a string to be passed with exec:
https://tools.ietf.org/html/rfc4254#section-6.5
There could be:
A client-side option to turn it on.
A server-side option (sshd_config, authorized_keys) to allow it.
A server-side option (sshd_config, authorized_keys) to disallow
in-shell commands and interactive shells.
A way to pass the original command requested by the user to the forced
command that uses NUL characters to separate arguments instead of
spaces. Maybe ORIGINAL_SSH_COMMAND_N environment variables would be the
way to do it.
--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
[email protected]
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
