bugzilla-daemon at mindrot.org
2024-Apr-12 20:33 UTC
[Bug 3679] New: SSH_ASKPASS program also used for non-password queries
https://bugzilla.mindrot.org/show_bug.cgi?id=3679 Bug ID: 3679 Summary: SSH_ASKPASS program also used for non-password queries Product: Portable OpenSSH Version: 9.7p1 Hardware: Other OS: All Status: NEW Severity: normal Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: calestyo at scientia.org Hey. I noted the following behaviour, which may or may not be desired, but seems at least undocumented. When using SSH_ASKPASS/SSH_ASKPASS_REQUIRE, ssh doesn't only invoke the SSH_ASKPASS when actually querying a passphrase, but also e.g. at least when asking whether the fingerprint is correct or not. (The authenticity of host ? Are you sure you want to continue connecting (yes/no/[fingerprint])?) That's not really clear from the sshd(1) manpage, which says "If ssh needs a passphrase...". I was thinking whether this could be abused in some way, but I guess not. The only problem I see is that the askpass program cannot easily know whether it's now being used for a passphrase (in which case it probably disables character echoing) or a normal query (where chars should be echoed). And detecting that via some regexp (the fingerprint prompt is actually given as argv[1] in the program) is also rather ugly. Think it would be nice to have the information that SSH_ASKPASS is also used for such prompts. And perhaps a simple way for the programs to determine what's currently being queried? Cheers, Chris. -- You are receiving this mail because: You are watching the assignee of the bug.