Re: latest drafts

[nisse%lysator.liu.se@localhost (Niels Möller)]

der Mouse <mouse%Rodents.Montreal.QC.CA@localhost> writes:

> >> userauth-27 says, of SSH_MSG_USERAUTH_BANNER messages, that "[t]he
> >> message may consist of multiple lines", but gives no indication how
> >> line breaks are to be encoded.
> > Suggestions from anyone?
> 
> I'd argue for CRLF line breaks, largely for the sake of uniformity.

I'd agree with this. I believe all places elsewhere in the protocol
where line breaks are specified, it's CRLF. (Although I haven't made
any full search for such places).

> I'd prefer to see it as a general security consideration, since it
> applies anywhere where an implementation may try to print a string
> received from the peer, and that's lots of places.

Except when channel data is directed to the terminal, in particular if
the channel is a session channel on which a pty request succeeded
(this is the common case where the client puts the local terminal into
raw mode, and wants to have it controlled by the remote end).

One might consider control character filtering on channels that (i)
are directed to a terminal, and (ii) for which the client haven't
requested a pty. But I doubt it's a good idea. It will be confusing if
"ssh host echo-some-control-chars" and "ssh host
echo-some-control-chars | cat" gives different results, just because
in the first case the stdout is a terminal, and in the second it
isn't.

/Niels