Re: should "want reply" responses be checked or ignored?

[Simon Tatham <anakin%pobox.com@localhost>]

> From <http://tools.ietf.org/html/rfc4254#section-6.5>:
>>   It is RECOMMENDED that the reply to these messages be requested and
>>   checked.  The client SHOULD ignore these messages.

Jim Wigginton  <terrafrost%gmail.com@localhost> wrote:
> Recommending SSH_MSG_CHANNEL_REQUEST responses be checked and then
> saying, later, that they should be ignored, seems a little
> contradictory.  If you ignore them, you're not checking them, and if
> you check them, you're not ignoring them.

I think you've misparsed. In both those sentences, "these messages"
denote the SSH_MSG_CHANNEL_REQUESTs themselves, not the responses.

Thus, the first sentence says that when the client sends the
SSH_MSG_CHANNEL_REQUEST that starts a shell or command or subsystem,
it is RECOMMENDED that they set the want_reply flag and check the
reply (since the alternative is to fail to notice when the server
was unable to start the requested process).

The second sentence says that if the _server_ should ever send the
_client_ an SSH_MSG_CHANNEL_REQUEST that asks to start a shell or
command or subsystem, the client should ignore it! (Probably most
relevant to people who are writing both a client and server
implementation which share code, in which one might accidentally
leave in the code that responds to requests and end up with the
client able to respond to all sorts of inappropriate requests if a
malicious server should take it into its head to send them.)
-- 
Simon Tatham         "A cynic is a person who smells flowers and
<anakin%pobox.com@localhost>    immediately looks around for a coffin."