https://bugzilla.mindrot.org/show_bug.cgi?id=3439
Christoph Anton Mitterer <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #5 from Christoph Anton Mitterer <[email protected]> --- I've stumbled over this while writing my #3679 (https://bugzilla.mindrot.org/show_bug.cgi?id=3679). If I understand comment 2 correctly, than in both cases (password and keyboard-interactive) ssh always prefixes the prompt with user@host (just once with () around), which may then be followed by any server provided string, right? Wouldn't it perhaps make sense to: - make sure that every line of the server's prompt, as printed on the terminal, (assuming it may contain newlines and/or very long lines) is prefixed with that (user@host) - but just for displaying purposes, not for what goes int argv[1] of ASKPASS. - perhaps even colourise the server's portion of the prompt My idea is that a server could e.g. provide a very long single line prompt or a multi line prompt effectively causing something like this: (true-user@true-host) This is the server's prompt and he's writing a lot of bla bla which no one is interested in. Actually I've seen such servers in the wild. But a rogue e.g. jump server could now do this and print a second faked SSH-like prompt: (user@host) OTP: Here, an intermediate rogue server might try to trick the user into revealing the passphrase or OTP for some completely different server. Not the most severe attack... but still, we've recently seen how powerful social engineering can be. Cheers, Chris. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
