[Bug 3224] New: SSH should be (optionally) clear whose password is asked for

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Oct 27 08:30:06 AEDT 2020


https://bugzilla.mindrot.org/show_bug.cgi?id=3224

            Bug ID: 3224
           Summary: SSH should be (optionally) clear whose password is
                    asked for
           Product: Portable OpenSSH
           Version: 8.3p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: luizluca at gmail.com

Hello,

I'm frequent user of ssh jump hosts, proxy commands and 'scp -3' I have
a problem with all of those when ssh/scp askes me for a password. I'm
mostly not sure who and where is authenticating. I just get a plain
"Password: " prompt. I normally increase verbose to workaround it.
However, using debug is not a real fix.

It is even harder to know when I use control master. I don't know if it
is using an existing control master, skipping the "Password: " step, or
if it is asking for the password to create a new control master. I
could be typing a password for the first server and sending it to a
second one.
If that second server is malicious, it might be able to use that
password (intended for the first server) to grab sensitive information.

Please, add a optional way to always prefix Password prompt with
"user at host", just like "password" authentication method already does
for every method that asks for a password.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list