[Bug 3870] New: Provide ObscureKeystrokeTiming setting that only activates the feature during session set-up
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Sep 29 05:50:35 AEST 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3870
Bug ID: 3870
Summary: Provide ObscureKeystrokeTiming setting that only
activates the feature during session set-up
Product: Portable OpenSSH
Version: 10.0p2
Hardware: All
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: openssh at vanderhave.org
I like the idea behind ObscureKeystrokeTiming=yes especially against
attacks that are timing the network packets while the user's login
password is being typed and sent to the server possibly one character
at a time over the network. However, using ssh with X11 forwarding
combined with ObscureKeystrokeTiming=yes makes running graphical X11
programs in an interactive ssh session unbearably slow for me.
Would it be possible to have an extra setting that is the same as
ObscureKeystrokeTiming=yes when the user is not logged in yet, and
changes to ObscureKeystrokeTiming=no when the user is logged in and
session set-up is completed, i.e. from the point onwards when forwarded
X11 information could start to be sent?
I realize that this may still reveal information about keystrokes being
sent to the server-side shell's command line, editor, and similar, but
leaking some probability information about those keystrokes seems to be
less severe than leaking information about the login password that the
attacker might be able to guess and then verify if the ssh server is
world-reachable.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list