26 Sep
2014
26 Sep
'14
3:21 a.m.
Douglas, please cite the CVE when discussing vulnerabilities: https://security-tracker.debian.org/tracker/CVE-2014-7169 Russell Coker <russell@coker.com.au> writes:
ssh root@localhost "() { :;} ; touch /tmp/ohno" is a test I wrote for ssh where ~root/.ssh/authorized_keys [has] "command=" option (which sets the original command to the SSH_ORIGINAL_COMMAND variable).
Ah, thanks, I had suspected this but not bothered to check it yet. If the account's login shell isn't bash, and the forced command doesn't ever create a bash process (e.g. rrsync [sic]), it should still be OK. (AFAICT)