Re: tunneling and exec channel request support for SSH URIs

[nisse%lysator.liu.se@localhost (Niels Möller)]

Jeffrey Hutzelman <jhutz%cmu.edu@localhost> writes:

> --On Wednesday, April 14, 2010 11:04:26 AM +0100 Simon Tatham
> <anakin%pobox.com@localhost> wrote:

>> The real danger is URIs which combine a specific command with the
>> user's _personal_ credentials.

> Yes, I think that's closer to the mark.  On the other hand, I do think
> it should be possible to write a URI that refers to an SFTP service
> accessed using the user's credentials.

I think the relevant distinction is that we don't want URI:s that
specify *destructive* operations using the user's credentials. Creating
an interactive shell is not destructive (unless the user's login shell
is set to something interesting), and reading a file over sftp also is
not.

But executing a command may or may not be destructive. And there's no
easy way to make the distinction (like GET vs POST in HTTP, if only
people were using them the right way...).

I haven't made up my mind on ssh uri:s (and the topic is on the
periphery of my personal interests), but it seems the safest option is
to not have URIs specifying execution of commands at all.

Specifying an uri to start an arbitrary subsystem may still be ok. It is
different from executing a command, if we are willing to assume that
merely *starting* the subsystem does not imply any destructive
operations, just like for starting an interactive shell. To actually
*do* somthing using that subsystem should most likely use a separate uri
scheme.

Regards,
/Niels

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.