[Bug 3679] New: SSH_ASKPASS program also used for non-password queries

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Apr 13 06:33:48 AEST 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3679

            Bug ID: 3679
           Summary: SSH_ASKPASS program also used for non-password queries
           Product: Portable OpenSSH
           Version: 9.7p1
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: calestyo at scientia.org

Hey.

I noted the following behaviour, which may or may not be desired, but
seems at least undocumented.

When using SSH_ASKPASS/SSH_ASKPASS_REQUIRE, ssh doesn't only invoke the
SSH_ASKPASS when actually querying a passphrase, but also e.g. at least
when asking whether the fingerprint is correct or not.
(The authenticity of host … Are you sure you want to continue
connecting (yes/no/[fingerprint])?)

That's not really clear from the sshd(1) manpage, which says "If ssh
needs a passphrase...".

I was thinking whether this could be abused in some way, but I guess
not.

The only problem I see is that the askpass program cannot easily know
whether it's now being used for a passphrase (in which case it probably
disables character echoing) or a normal query (where chars should be
echoed).

And detecting that via some regexp (the fingerprint prompt is actually
given as argv[1] in the program) is also rather ugly.


Think it would be nice to have the information that SSH_ASKPASS is also
used for such prompts.
And perhaps a simple way for the programs to determine what's currently
being queried?

Cheers,
Chris.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list