[Bug 3439] identify password prompts
https://bugzilla.mindrot.org/show_bug.cgi?id=3439 Christoph Anton Mitterer changed: What|Removed |Added CC||cales...@scientia.org --- Comment #5 from Christoph Anton Mitterer --- I've stumbled over this while writing my #3679 (https://bugzilla.mindrot.org/show_bug.cgi?id=3679). If I understand comment 2 correctly, than in both cases (password and keyboard-interactive) ssh always prefixes the prompt with user@host (just once with () around), which may then be followed by any server provided string, right? Wouldn't it perhaps make sense to: - make sure that every line of the server's prompt, as printed on the terminal, (assuming it may contain newlines and/or very long lines) is prefixed with that (user@host) - but just for displaying purposes, not for what goes int argv[1] of ASKPASS. - perhaps even colourise the server's portion of the prompt My idea is that a server could e.g. provide a very long single line prompt or a multi line prompt effectively causing something like this: (true-user@true-host) This is the server's prompt and he's writing a lot of bla bla which no one is interested in. Actually I've seen such servers in the wild. But a rogue e.g. jump server could now do this and print a second faked SSH-like prompt: (user@host) OTP: Here, an intermediate rogue server might try to trick the user into revealing the passphrase or OTP for some completely different server. Not the most severe attack... but still, we've recently seen how powerful social engineering can be. Cheers, Chris. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3439] identify password prompts
https://bugzilla.mindrot.org/show_bug.cgi?id=3439 --- Comment #4 from tar.ancalime.nume...@gmail.com --- Hey Darren. Just one question on this: In both cases, the prompt with password and the prefix with keyboard-interactive, are these generated by the ssh client? Cause if e.g. the server could control the full prompt, a hostile server could try tricking people into entering passphrases/TOTPs for another server. Thanks :-) -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3439] identify password prompts
https://bugzilla.mindrot.org/show_bug.cgi?id=3439 Damien Miller changed: What|Removed |Added Status|RESOLVED|CLOSED --- Comment #3 from Damien Miller --- Closing bugs from OpenSSH 9.1 release cycle -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3439] identify password prompts
https://bugzilla.mindrot.org/show_bug.cgi?id=3439 Darren Tucker changed: What|Removed |Added Resolution|--- |WORKSFORME Status|NEW |RESOLVED --- Comment #2 from Darren Tucker --- (In reply to tar.ancalime.numenor from comment #0) > I have no idea who prints the respective prompts, I'd assume the > normal passphrase prompt is printed by OpenSSH client, but the OTP > prompt by the remote server? There are two types of prompts: 1) Prompts for ssh "password" authentication method. These are generated by the client and look like this (and have for quite some time): $ ssh -o preferredauthentications=password localhost dtucker@localhost's password: 2) prompts for "keyboard-interactive" authentication method. These are generated by the server (usually via the PAM config) and can look like pretty much anything. For a simple PAM configuration with password authentication they'll typically look something like "Password: ", but could be your OTP prompts if that's what you have. Since 8.5, these with be prefixed by "(user@host)" to identify them: $ ssh -o preferredauthentications=keyboard-interactive localhost (dtucker@localhost) Password: If you can reproduce this behaviour with 9.0 or above, please reopen this bug and attach the full debug output "ssh -vvv yourserver" demonstrating the problem. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3439] identify password prompts
https://bugzilla.mindrot.org/show_bug.cgi?id=3439 Darren Tucker changed: What|Removed |Added CC||dtuc...@dtucker.net --- Comment #1 from Darren Tucker --- Are you sure this happens with 9.0? That should have been fixed by bug#3224. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs