Douglas, please cite the CVE when discussing vulnerabilities:
https://security-tracker.debian.org/tracker/CVE-2014-7169
Russell Coker <[email protected]> writes:
> ssh root@localhost "() { :;} ; touch /tmp/ohno" is a test I wrote for
> ssh where ~root/.ssh/authorized_keys [has] "command=" option (which
> sets the original command to the SSH_ORIGINAL_COMMAND variable).
Ah, thanks, I had suspected this but not bothered to check it yet.
If the account's login shell isn't bash, and the forced command doesn't
ever create a bash process (e.g. rrsync [sic]), it should still be OK.
(AFAICT)
_______________________________________________
luv-main mailing list
[email protected]
http://lists.luv.asn.au/listinfo/luv-main
