[Bug 3870] New: Provide ObscureKeystrokeTiming setting that only activates the feature during session set-up

[bugzilla-daemon at mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=3870

            Bug ID: 3870
           Summary: Provide ObscureKeystrokeTiming setting that only
                    activates the feature during session set-up
           Product: Portable OpenSSH
           Version: 10.0p2
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: openssh at vanderhave.org

I like the idea behind ObscureKeystrokeTiming=yes especially against
attacks that are timing the network packets while the user's login
password is being typed and sent to the server possibly one character
at a time over the network. However, using ssh with X11 forwarding
combined with ObscureKeystrokeTiming=yes makes running graphical X11
programs in an interactive ssh session unbearably slow for me. 
Would it be possible to have an extra setting that is the same as
ObscureKeystrokeTiming=yes when the user is not logged in yet, and
changes to ObscureKeystrokeTiming=no when the user is logged in and
session set-up is completed, i.e. from the point onwards when forwarded
X11 information could start to be sent? 
I realize that this may still reveal information about keystrokes being
sent to the server-side shell's command line, editor, and similar, but
leaking some probability information about those keystrokes seems to be
less severe than leaking information about the login password that the
attacker might be able to guess and then verify if the ssh server is
world-reachable.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.