| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 2 Jan 2018 21:35:16 -0800
From: Jonathan Nieder <jrnieder@...il.com>
To: Bryan Turner <bturner@...assian.com>
Cc: Junio C Hamano <gitster@...ox.com>,
Brandon Williams <bmwill@...gle.com>,
Ben Humphreys <behumphreys@...assian.com>,
Git Users <git@...r.kernel.org>,
Linux Kernel <linux-kernel@...r.kernel.org>,
git-packagers@...glegroups.com
Subject: Re: [ANNOUNCE] Git v2.16.0-rc0
Hi,
A few more notes.
Bryan Turner wrote:
> bturner@...ntu:~$ ssh -V
> OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8, OpenSSL 1.0.1f 6 Jan 2014
>
> bturner@...ntu:~$ ssh -G -p 7999 localhost
> unknown option -- G
> usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
[...]
> Is it possible to adjust the check, somehow, so it doesn't impact
> older OpenSSH versions like this? As it stands, it seems likely a fair
> number of users who have an SSH command that does support -4, -6 and
> -p are going to end up getting "penalized" because it doesn't also
> support -G, and have to manually set their SSH variant to "ssh" (or
> something other than "auto") to avoid the automatic detection.
>
> I'd love to say I have a brilliant idea for how to work around this,
> oh and here's a patch, but I don't. One option might be trying to
> actually review the output, and another might be to run "ssh -V", but
> both of those have their own flaws (and the extra process forks aren't
> "free").
I have tomorrow off, so I've filed https://crbug.com/git/7 to make
sure I remember to follow up the day after. Of course I'll be happy
if someone updates that bug saying they've fixed it in the meantime.
One possibility would be to use -V as a fallback when -G fails, or
even as a replacement for this usage of -G. To avoid misdetecting
PuTTY and other ssh variants that also implement -V as OpenSSH, we
would have to parse the output. This would also misdetect a script
that does
host=$1; shift
ssh "$host" -- "$@"
as supporting OpenSSH options, when the use of -- ensures it doesn't.
Another possibility is to parse the output when -G fails. That's
hacky, but I think it would work well! We would not have to be too
clever, since we can look for the exact output produced by the
versions of OpenSSH that we care about. This still has issues with
scripts that forward arguments to OpenSSH, but at least those issues
would go away once the user updates their copy of ssh. ;-)
Another possibility is to pass options *before* -V:
ssh -p 7999 -V
Since OpenSSH parses its arguments left-to-right, this gives similar
information to what we did with -G, and scripts like
host=$1; shift
ssh "$host" -- "$@"
would even be correctly detected as not supporting OpenSSH options.
We still would need to parse the output to distinguish OpenSSH from
other ssh implementations like putty (unlike OpenSSH, putty saves up
argument errors in an 'error' variable and forgets about them once it
sees -V).
Trying -G and falling back to -V seems like the simplest detection
mechanism to me at the moment. I'm hoping I'm missing something
simple (another ssh option?) that allows avoiding this mess.
Regardless, I think we should do something like [1] first to get rid
of the regression. Thanks again for reporting it.
Sincerely,
Jonathan
[1] https://public-inbox.org/git/20180103050730.GA87855@aiede.mtv.corp.google.com/
Powered by blists - more mailing lists