rentzsch.com: ssh:// Protocol Handler, Updated

ssh:// Protocol Handler, Updated

Security Update 2004-06-07 maimed my original ssh:// protocol handler trick.

Specifically, it seems all arguments to the ssh:// and telnet:// protocol handlers are stripped. While there was never an ssh-specific threat, this seems to be a case of generalized protection against the telnet:// vulnerability.

Fortunately, the work-around is simple. Instead of specifying your login name via the -l option, encode it like so: ssh://<account>@<host>. Thus my prior entry's example would become ssh://wolf@localhost.

It no longer seems possible to specify arbitrary commands to execute (upon successful ssh login), from a stock ssh:// url. Turns out that I never used it anyway, and perhaps now Stefan can breath a little easier...

Saturday, June 19, 2004
01:01 AM

Overview

Focus of this site
Contact Me
Topics
RSS Feed
Linkblog
Twitter

Most Popular

•	C4[1] Videos Available
•	PSIG 117 in August
•	C4[2]: Sep 5-7 2008
•	PSIG 112: Thu Feb 7 2008
•	PSIG 113: Thu Mar 6 2008
•	mogenerator v1.10
•	PSIG 114: Thu Apr 3 2008
•	PSIG 115: Thu May 1 2008
•	apple's antiCAPSLOCK
•	PSIG 111: Thu Jan 3 2008
•	PSIG 116: Thu Jun 5 2008
•	Programmers Don't Like to Code
•	Intel-based Mac Boot Incompatibility
•	iPhone vs. Treo
•	Google Cache Hacking

Recently Updated

Sat, Jun 07:	C4[2]: Sep 5-7 2008
Tue, Jun 03:	Programming Special Interest Group
Tue, May 27:	Focus of this Site
Wed, Apr 30:	PSIG 115: Thu May 1 2008
Sat, Mar 29:	C4[1] Videos Available

Weblogs I Read

Andy Finnell
Bill Bumgarner
Brent Simmons
Daniel Jalkut
Dave Dribin
Eric Albert
Eric Rescorla
Eric Sink
Greg Miller
Gus Mueller
Jeremy Zawodny
John Gruber
Mark Dalrymple
Michael Tsai
Peter Ammon
Raymond Chen
Ryan Wilcox
Scott Stevenson
Steven Frank
The Daily WTF
we hates software
Wil Shipley