https://bugzilla.mindrot.org/show_bug.cgi?id=3870
--- Comment #3 from Darren Tucker <[email protected]> --- BTW: (In reply to Frans van der Have from comment #0) [...] > Would it be possible to have an extra setting that is the same as > ObscureKeystrokeTiming=yes when the user is not logged in yet, and > changes to ObscureKeystrokeTiming=no when the user is logged in and > session set-up is completed, [...] leaking information about > the login password. SSH password and keyboard-interactive authentications send their passwords or other auth material in a single SSH packet, and thus are not susceptible to inter-keystroke timing attacks even without ObscureKeystrokeTiming. ObscureKeystrokeTiming helps when passwords are sent after a shell is started, for example for su or non-passwordless sudo. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
