[Bug 491694] Review Request: Anyterm - Web based terminal emulator
bugzilla at redhat.com
bugzilla at redhat.com
Tue Apr 7 09:33:46 UTC 2009
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=491694
--- Comment #12 from Alexander Boström <abo at kth.se> 2009-04-07 05:33:46 EDT ---
Looks pretty good!
My comments:
* The typical use case for this is a multiuser machine where you'd usually not
completely trust all users. Since Apache is configured to proxy to port 8080
then if anytermd is not running for some reason any user will be able to listen
to that port and have other users' passwords sent there. So I still think using
a port <1024 by default is the way to go.
* In anyterm-cmd:
read U
ssh $U at localhost
Here the user could enter any ssh client option into $U, and I'm pretty sure
it's possible to do evil that way, for example by causing ~anytermd/.ssh/config
and ~anytermd/.ssh/known_hosts to be replaced.
I suggest something like this:
while :; do
echo -n "Username: "
read U
# Make sure it does not start with a "-" and only contains valid
# username characters.
if [[ "$U" =~ "^[A-Za-z0-9_]" && ! ( "$U" =~ "[^A-Za-z0-9_-]" ) ]]; then
exec ssh "$U at localhost"
fi
echo "Bad username."
done
* I'd package the static content in /var/www/anyterm to make it easy for admins
to customize it and cut down on proxy traffic.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the Fedora-package-review
mailing list