[Bug 3679] New: SSH_ASKPASS program also used for non-password queries
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Apr 13 06:33:48 AEST 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3679
Bug ID: 3679
Summary: SSH_ASKPASS program also used for non-password queries
Product: Portable OpenSSH
Version: 9.7p1
Hardware: Other
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: calestyo at scientia.org
Hey.
I noted the following behaviour, which may or may not be desired, but
seems at least undocumented.
When using SSH_ASKPASS/SSH_ASKPASS_REQUIRE, ssh doesn't only invoke the
SSH_ASKPASS when actually querying a passphrase, but also e.g. at least
when asking whether the fingerprint is correct or not.
(The authenticity of host … Are you sure you want to continue
connecting (yes/no/[fingerprint])?)
That's not really clear from the sshd(1) manpage, which says "If ssh
needs a passphrase...".
I was thinking whether this could be abused in some way, but I guess
not.
The only problem I see is that the askpass program cannot easily know
whether it's now being used for a passphrase (in which case it probably
disables character echoing) or a normal query (where chars should be
echoed).
And detecting that via some regexp (the fingerprint prompt is actually
given as argv[1] in the program) is also rather ugly.
Think it would be nice to have the information that SSH_ASKPASS is also
used for such prompts.
And perhaps a simple way for the programs to determine what's currently
being queried?
Cheers,
Chris.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list