bugzilla-daemon at mindrot.org
2022-Jun-01 03:54 UTC
[Bug 3439] New: identify password prompts
https://bugzilla.mindrot.org/show_bug.cgi?id=3439 Bug ID: 3439 Summary: identify password prompts Product: Portable OpenSSH Version: v9.0p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at mindrot.org Reporter: tar.ancalime.numenor at gmail.com Dear developers. Since a while, I have more and more systems where I use ProxyJump and have to either use a passphrase (and cannot use a pubkey) and/or enter a 2FA-OTP. I have no idea who prints the respective prompts, I'd assume the normal passphrase prompt is printed by OpenSSH client, but the OTP prompt by the remote server? At least I have some OTP prompts where I get some valuable information about which OTP is requested, and others where I just see "Your OTP:". In any case, with multiple ProxyJump hops respectively, when doing scp, with multiple source servers, things can get quite messy. Then one get's multiple prompts that may be identical and has to think "where" one is. Would it be possible to add an option, that ssh/scp/sftp prefix these prompts? For example with the respecitve hostname and, if OpenSSH can differ between what is a normal passphrase request and a OTP, the "type" of information that is queried? The default of such option could be "no", so and people could just selectively enable it when needed. Thanks in advance, if it should be possible to have this implemented. -- You are receiving this mail because: You are watching the assignee of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3439 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at dtucker.net --- Comment #1 from Darren Tucker <dtucker at dtucker.net> --- Are you sure this happens with 9.0? That should have been fixed by bug#3224. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3439 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |WORKSFORME Status|NEW |RESOLVED --- Comment #2 from Darren Tucker <dtucker at dtucker.net> --- (In reply to tar.ancalime.numenor from comment #0)> I have no idea who prints the respective prompts, I'd assume the > normal passphrase prompt is printed by OpenSSH client, but the OTP > prompt by the remote server?There are two types of prompts: 1) Prompts for ssh "password" authentication method. These are generated by the client and look like this (and have for quite some time): $ ssh -o preferredauthentications=password localhost dtucker at localhost's password: 2) prompts for "keyboard-interactive" authentication method. These are generated by the server (usually via the PAM config) and can look like pretty much anything. For a simple PAM configuration with password authentication they'll typically look something like "Password: ", but could be your OTP prompts if that's what you have. Since 8.5, these with be prefixed by "(user at host)" to identify them: $ ssh -o preferredauthentications=keyboard-interactive localhost (dtucker at localhost) Password: If you can reproduce this behaviour with 9.0 or above, please reopen this bug and attach the full debug output "ssh -vvv yourserver" demonstrating the problem. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3439 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #3 from Damien Miller <djm at mindrot.org> --- Closing bugs from OpenSSH 9.1 release cycle -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3439 --- Comment #4 from tar.ancalime.numenor at gmail.com --- Hey Darren. Just one question on this: In both cases, the prompt with password and the prefix with keyboard-interactive, are these generated by the ssh client? Cause if e.g. the server could control the full prompt, a hostile server could try tricking people into entering passphrases/TOTPs for another server. Thanks :-) -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3439 Christoph Anton Mitterer <calestyo at scientia.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |calestyo at scientia.org --- Comment #5 from Christoph Anton Mitterer <calestyo at scientia.org> --- I've stumbled over this while writing my #3679 (https://bugzilla.mindrot.org/show_bug.cgi?id=3679). If I understand comment 2 correctly, than in both cases (password and keyboard-interactive) ssh always prefixes the prompt with user at host (just once with () around), which may then be followed by any server provided string, right? Wouldn't it perhaps make sense to: - make sure that every line of the server's prompt, as printed on the terminal, (assuming it may contain newlines and/or very long lines) is prefixed with that (user at host) - but just for displaying purposes, not for what goes int argv[1] of ASKPASS. - perhaps even colourise the server's portion of the prompt My idea is that a server could e.g. provide a very long single line prompt or a multi line prompt effectively causing something like this: (true-user at true-host) This is the server's prompt and he's writing a lot of bla bla which no one is interested in. Actually I've seen such servers in the wild. But a rogue e.g. jump server could now do this and print a second faked SSH-like prompt: (user at host) OTP: Here, an intermediate rogue server might try to trick the user into revealing the passphrase or OTP for some completely different server. Not the most severe attack... but still, we've recently seen how powerful social engineering can be. Cheers, Chris. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Seemingly Similar Threads
- [Bug 3562] New: make SSH_ASKPASS and SSH_ASKPASS_REQUIRE available as config options
- odd behavior of OpenSSH_3.0.2p1
- contrib/solaris/buildpkg.sh - use within JumpStart as well?
- SSH 1.0.1 and 1.1 have different prompt.
- Host key verification (known_hosts) with ProxyJump/ProxyCommand