OpenSSH daemon security bug?

Jefferson Ogata Jefferson.Ogata at noaa.gov
Wed Jan 6 10:56:05 EST 2010


On 2010-01-05 20:19, Jameson Rollins wrote:
> On Tue, Jan 05, 2010 at 06:48:27PM +0000, Jefferson Ogata wrote:
>> Actually the server could theoretically determine heuristically if the
>> key has no passphrase (or if the user is using ssh-agent) by timing the
>> key transaction. I've often thought it would be useful for sshd to have
>> an option for requiring that there be a delay before each pubkey
>> transaction for the purpose of assuring that a passphrase is being typed
>> on the client side.
> 
> Actually most agents cache the key in memory, and most don't require
> passwords to be typed in for every use, so I don't think this would
> work.

AFAIK the passphrase isn't prompted until initial authentication method 
negotiation has occurred and the client and server have agreed on a 
keypair to try. So if a pubkey response is received within, say, 200 ms 
after auth methods have been negotiated, sshd should be able to conclude 
that the key either lacks a passphrase or that the user is running 
ssh-agent.

For me this would be a useful feature.

-- 
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service


More information about the openssh-unix-dev mailing list