[Bug 3224] New: SSH should be (optionally) clear whose password is asked for
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Oct 27 08:30:06 AEDT 2020
https://bugzilla.mindrot.org/show_bug.cgi?id=3224
Bug ID: 3224
Summary: SSH should be (optionally) clear whose password is
asked for
Product: Portable OpenSSH
Version: 8.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: luizluca at gmail.com
Hello,
I'm frequent user of ssh jump hosts, proxy commands and 'scp -3' I have
a problem with all of those when ssh/scp askes me for a password. I'm
mostly not sure who and where is authenticating. I just get a plain
"Password: " prompt. I normally increase verbose to workaround it.
However, using debug is not a real fix.
It is even harder to know when I use control master. I don't know if it
is using an existing control master, skipping the "Password: " step, or
if it is asking for the password to create a new control master. I
could be typing a password for the first server and sending it to a
second one.
If that second server is malicious, it might be able to use that
password (intended for the first server) to grab sensitive information.
Please, add a optional way to always prefix Password prompt with
"user at host", just like "password" authentication method already does
for every method that asks for a password.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list