OpenSSH daemon security bug?
Jefferson Ogata
Jefferson.Ogata at noaa.gov
Wed Jan 6 10:56:05 EST 2010
On 2010-01-05 20:19, Jameson Rollins wrote:
> On Tue, Jan 05, 2010 at 06:48:27PM +0000, Jefferson Ogata wrote:
>> Actually the server could theoretically determine heuristically if the
>> key has no passphrase (or if the user is using ssh-agent) by timing the
>> key transaction. I've often thought it would be useful for sshd to have
>> an option for requiring that there be a delay before each pubkey
>> transaction for the purpose of assuring that a passphrase is being typed
>> on the client side.
>
> Actually most agents cache the key in memory, and most don't require
> passwords to be typed in for every use, so I don't think this would
> work.
AFAIK the passphrase isn't prompted until initial authentication method
negotiation has occurred and the client and server have agreed on a
keypair to try. So if a pubkey response is received within, say, 200 ms
after auth methods have been negotiated, sshd should be able to conclude
that the key either lacks a passphrase or that the user is running
ssh-agent.
For me this would be a useful feature.
--
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service
More information about the openssh-unix-dev
mailing list