[Bug 3870] Provide ObscureKeystrokeTiming setting that only activates the feature during session set-up

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Sep 29 14:11:06 AEST 2025


https://bugzilla.mindrot.org/show_bug.cgi?id=3870

--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
BTW:

(In reply to Frans van der Have from comment #0)
[...]
> Would it be possible to have an extra setting that is the same as
> ObscureKeystrokeTiming=yes when the user is not logged in yet, and
> changes to ObscureKeystrokeTiming=no when the user is logged in and
> session set-up is completed, [...] leaking information about
> the login password.

SSH password and keyboard-interactive authentications send their
passwords or other auth material in a single SSH packet, and thus are
not susceptible to inter-keystroke timing attacks even without
ObscureKeystrokeTiming.  ObscureKeystrokeTiming helps when passwords
are sent after a shell is started, for example for su or
non-passwordless sudo.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list