[Bug 3870] Provide ObscureKeystrokeTiming setting that only activates the feature during session set-up
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Sep 29 14:11:06 AEST 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3870
--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
BTW:
(In reply to Frans van der Have from comment #0)
[...]
> Would it be possible to have an extra setting that is the same as
> ObscureKeystrokeTiming=yes when the user is not logged in yet, and
> changes to ObscureKeystrokeTiming=no when the user is logged in and
> session set-up is completed, [...] leaking information about
> the login password.
SSH password and keyboard-interactive authentications send their
passwords or other auth material in a single SSH packet, and thus are
not susceptible to inter-keystroke timing attacks even without
ObscureKeystrokeTiming. ObscureKeystrokeTiming helps when passwords
are sent after a shell is started, for example for su or
non-passwordless sudo.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list