bugzilla-daemon at mindrot.org
2020-Oct-26 21:30 UTC
[Bug 3224] New: SSH should be (optionally) clear whose password is asked for
https://bugzilla.mindrot.org/show_bug.cgi?id=3224 Bug ID: 3224 Summary: SSH should be (optionally) clear whose password is asked for Product: Portable OpenSSH Version: 8.3p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: luizluca at gmail.com Hello, I'm frequent user of ssh jump hosts, proxy commands and 'scp -3' I have a problem with all of those when ssh/scp askes me for a password. I'm mostly not sure who and where is authenticating. I just get a plain "Password: " prompt. I normally increase verbose to workaround it. However, using debug is not a real fix. It is even harder to know when I use control master. I don't know if it is using an existing control master, skipping the "Password: " step, or if it is asking for the password to create a new control master. I could be typing a password for the first server and sending it to a second one. If that second server is malicious, it might be able to use that password (intended for the first server) to grab sensitive information. Please, add a optional way to always prefix Password prompt with "user at host", just like "password" authentication method already does for every method that asks for a password. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-13 04:19 UTC
[Bug 3224] SSH should be (optionally) clear whose password is asked for
https://bugzilla.mindrot.org/show_bug.cgi?id=3224 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |djm at mindrot.org -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-16 02:31 UTC
[Bug 3224] SSH should be (optionally) clear whose password is asked for
https://bugzilla.mindrot.org/show_bug.cgi?id=3224 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED Blocks| |3217 --- Comment #1 from Damien Miller <djm at mindrot.org> --- as of 5442b491d, OpenSSH will now prefix keyboard-interactive prompts with "(user at host)". This should be in the OpenSSH 8.5 release - thanks! Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3217 [Bug 3217] Tracking bug for 8.5 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 05:00 UTC
[Bug 3224] SSH should be (optionally) clear whose password is asked for
https://bugzilla.mindrot.org/show_bug.cgi?id=3224 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #2 from Damien Miller <djm at mindrot.org> --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Apparently Analagous Threads
- [Bug 3086] New: Ssh, scp (6.2p2 or 7.4p1) can't support the way to enter the private key password in a non-interactive way.
- rssh and scponly arbitrary command execution
- [BUGTRAQ] rssh and scponly arbitrary command execution
- Password in SSH scrips
- [Bug 557] scp over ssh-relay insists in asking passphrase