Re: OpenSSH and -current out-of-tree patched for ~C?

2022-11-30 Thread Andy Bradford
Thus said Theo de Raadt on Wed, 30 Nov 2022 19:44:09 -0700: > It makes ssh safer for people who don't use the fancy features, > because the ssh client cannot perform a vast number of system calls if > it gets fooled. Got it, makes sense now; and as you say my understanding was backwards.

Re: OpenSSH and -current out-of-tree patched for ~C?

2022-11-30 Thread Damien Miller
On Wed, 30 Nov 2022, Theo de Raadt wrote: > >> It allows a much tighter pledge in the client, so less attack surface > >> against a bad server. > > > >So it's to prevent a malicious SSH server from exploiting a client who > >choses to use ~C to open up the ssh> prompt and create or destro

Re: OpenSSH and -current out-of-tree patched for ~C?

2022-11-30 Thread Theo de Raadt
>> It allows a much tighter pledge in the client, so less attack surface >> against a bad server. > >So it's to prevent a malicious SSH server from exploiting a client who >choses to use ~C to open up the ssh> prompt and create or destroy >tunnels? No. It makes ssh safer for people who

Re: OpenSSH and -current out-of-tree patched for ~C?

2022-11-30 Thread Andy Bradford
Thus said Stuart Henderson on Wed, 30 Nov 2022 16:13:36 +: > It allows a much tighter pledge in the client, so less attack surface > against a bad server. So it's to prevent a malicious SSH server from exploiting a client who choses to use ~C to open up the ssh> prompt and create or

Re: OpenSSH and -current out-of-tree patched for ~C?

2022-11-30 Thread Stuart Henderson
On 2022/11/30 08:53, Andy Bradford wrote: > Thus said "Theo de Raadt" on Wed, 23 Nov 2022 18:56:21 -0700: > > > A new "enablecommandline" configuration option re-enables those > > particular features, and the diff later on will show why we feel these > > features should be optional. > > Gl

Re: OpenSSH and -current out-of-tree patched for ~C?

2022-11-30 Thread Andy Bradford
Thus said "Theo de Raadt" on Wed, 23 Nov 2022 18:56:21 -0700: > A new "enablecommandline" configuration option re-enables those > particular features, and the diff later on will show why we feel these > features should be optional. Glad that the option is being retained as optional bu

Re: OpenSSH and -current out-of-tree patched for ~C?

2022-11-23 Thread Theo de Raadt
> I noticed that ~C stopped working in my -current, from last Saturday, > holding the message "commandline disabled". The rest of the ~-escapes > work tho, and ~C is no longer present in ~?. Went to check the code, > currenlty sitting on Git commit e0b284df3ba7772329d85f200545e3bc5a84d54e > only to

OpenSSH and -current out-of-tree patched for ~C?

2022-11-23 Thread Lucas
Hi tech@, I noticed that ~C stopped working in my -current, from last Saturday, holding the message "commandline disabled". The rest of the ~-escapes work tho, and ~C is no longer present in ~?. Went to check the code, currenlty sitting on Git commit e0b284df3ba7772329d85f200545e3bc5a84d54e only t