Trick user to send private key password to compromised host

Roman Fiedler roman.fiedler at
Tue May 13 19:01:25 EST 2008

Hi list,

I do not known, if this is really an issue but i noticed that when 
connecting to a remote ssh host with the standard linux openssh client 
using a private key, that there is no line of text indicating when the 
local key-passwd process was completed and the connection session was 

On a compromised host, the login shell could write the line 'Enter 
passphrase for key 'guess the filename using the current account 
name':'. If unnoticed, the user will think, that he misstyped the 
passphrase and repeat it. After capturing the word, the login could 
continue with the standard procedure (e.g. motd banner).

lg roman

More information about the openssh-unix-dev mailing list