openssh bugs - Oct 2020 - [Bug 3224] New: SSH should be (optionally) clear whose password is asked for

https://bugzilla.mindrot.org/show_bug.cgi?id=3224

            Bug ID: 3224
           Summary: SSH should be (optionally) clear whose password is
                    asked for
           Product: Portable OpenSSH
           Version: 8.3p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: luizluca at gmail.com

Hello,

I'm frequent user of ssh jump hosts, proxy commands and 'scp -3' I
have
a problem with all of those when ssh/scp askes me for a password. I'm
mostly not sure who and where is authenticating. I just get a plain
"Password: " prompt. I normally increase verbose to workaround it.
However, using debug is not a real fix.

It is even harder to know when I use control master. I don't know if it
is using an existing control master, skipping the "Password: " step,
or
if it is asking for the password to create a new control master. I
could be typing a password for the first server and sending it to a
second one.
If that second server is malicious, it might be able to use that
password (intended for the first server) to grab sensitive information.

Please, add a optional way to always prefix Password prompt with
"user at host", just like "password" authentication method
already does
for every method that asks for a password.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3224

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |djm at mindrot.org

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3224

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED
             Blocks|                            |3217

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
as of 5442b491d, OpenSSH will now prefix keyboard-interactive prompts
with "(user at host)".

This should be in the OpenSSH 8.5 release - thanks!


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3217
[Bug 3217] Tracking bug for 8.5 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3224

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.