bug in scp (maybe)

[Andy Tsouladze]

Hello,

While playing around with various openssh features and options, I tried to 
use `scp -3' which copies files between two remote systems.  It works fine 
if password is not required for either SRC or DEST systems, and if 
password is required only for one remote system (either SRC or DEST).  The 
problem happens only if both SRC and DEST systems require a password. 
Here is a session:

----------------------------
scp -3 andyt2 at majesty:/etc/group andyt2 at mate:/tmp/group
andyt2 at majesty's password: andyt2 at mate's password:
XXXXXX

---------------------------
As you can see, after the command is started, both remote systems prompt 
for a password on the same line.  So I enter a password for user andyt2 
and press ENTER.  What happens next is probably a bug.  Line advances, and 
nothing at all happens.  So I am assuming that now the second system is 
waiting for a password.  I enter it, and it appears in the terminal in 
cleartext (substituted here with XXXXXX).  The command then proceeds and 
finishes successfully.

A workaround I found is to simply press ENTER instead of typing a second 
password.  Then, you get an error saying the password is incorrect, and 
a new, normal password prompt appears.  Enter the password, and this time, 
it is not visible.

This is what it looks like:

----------------------------
andyt at king: andyt> scp -3 andyt2 at majesty:/etc/group andyt2 at mate:/tmp/group
andyt2 at majesty's password: andyt2 at mate's password:


Permission denied, please try again.
andyt2 at mate's password:
----------------------------

I imagine a similar problem may exist if a user is prompted for a 
passphrase.

System info:

All three systems run Slackware ver. 14.0, openssh-6.4.

Please let me know if further clarification or test runs are needed.

Regards,

Andy

Dr Andy Tsouladze
Sr Unix/Storage/Security SysAdmin
PWD=`cat /dev/urandom | sed 's/[^\x21-\x7f]//g' | head -c 14`