[Bug 3439] identify password prompts
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Apr 13 06:44:40 AEST 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3439
Christoph Anton Mitterer <calestyo at scientia.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |calestyo at scientia.org
--- Comment #5 from Christoph Anton Mitterer <calestyo at scientia.org> ---
I've stumbled over this while writing my #3679
(https://bugzilla.mindrot.org/show_bug.cgi?id=3679).
If I understand comment 2 correctly, than in both cases (password and
keyboard-interactive) ssh always prefixes the prompt with user at host
(just once with () around), which may then be followed by any server
provided string, right?
Wouldn't it perhaps make sense to:
- make sure that every line of the server's prompt, as printed on the
terminal, (assuming it may contain newlines and/or very long lines) is
prefixed with that (user at host) - but just for displaying purposes, not
for what goes int argv[1] of ASKPASS.
- perhaps even colourise the server's portion of the prompt
My idea is that a server could e.g. provide a very long single line
prompt or a multi line prompt effectively causing something like this:
(true-user at true-host) This is the server's prompt and he's writing a
lot
of bla bla which no one is interested in. Actually I've seen such
servers
in the wild.
But a rogue e.g. jump server could now do this and print a second faked
SSH-like prompt:
(user at host) OTP:
Here, an intermediate rogue server might try to trick the user into
revealing the passphrase or OTP for some completely different server.
Not the most severe attack... but still, we've recently seen how
powerful social engineering can be.
Cheers,
Chris.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list