https://bugzilla.mindrot.org/show_bug.cgi?id=3439
Christoph Anton Mitterer <calestyo@scientia.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |calestyo@scientia.org
--- Comment #5 from Christoph Anton Mitterer <calestyo@scientia.org> ---
I've stumbled over this while writing my #3679
(https://bugzilla.mindrot.org/show_bug.cgi?id=3679).
If I understand comment 2 correctly, than in both cases (password and
keyboard-interactive) ssh always prefixes the prompt with user@host
(just once with () around), which may then be followed by any server
provided string, right?
Wouldn't it perhaps make sense to:
- make sure that every line of the server's prompt, as printed on the
terminal, (assuming it may contain newlines and/or very long lines) is
prefixed with that (user@host) - but just for displaying purposes, not
for what goes int argv[1] of ASKPASS.
- perhaps even colourise the server's portion of the prompt
My idea is that a server could e.g. provide a very long single line
prompt or a multi line prompt effectively causing something like this:
(true-user@true-host) This is the server's prompt and he's writing a
lot
of bla bla which no one is interested in. Actually I've seen such
servers
in the wild.
But a rogue e.g. jump server could now do this and print a second faked
SSH-like prompt:
(user@host) OTP:
Here, an intermediate rogue server might try to trick the user into
revealing the passphrase or OTP for some completely different server.
Not the most severe attack... but still, we've recently seen how
powerful social engineering can be.
Cheers,
Chris.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
Christoph Anton Mitterer <calestyo@scientia.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |calestyo@scientia.org
--- Comment #5 from Christoph Anton Mitterer <calestyo@scientia.org> ---
I've stumbled over this while writing my #3679
(https://bugzilla.mindrot.org/show_bug.cgi?id=3679).
If I understand comment 2 correctly, than in both cases (password and
keyboard-interactive) ssh always prefixes the prompt with user@host
(just once with () around), which may then be followed by any server
provided string, right?
Wouldn't it perhaps make sense to:
- make sure that every line of the server's prompt, as printed on the
terminal, (assuming it may contain newlines and/or very long lines) is
prefixed with that (user@host) - but just for displaying purposes, not
for what goes int argv[1] of ASKPASS.
- perhaps even colourise the server's portion of the prompt
My idea is that a server could e.g. provide a very long single line
prompt or a multi line prompt effectively causing something like this:
(true-user@true-host) This is the server's prompt and he's writing a
lot
of bla bla which no one is interested in. Actually I've seen such
servers
in the wild.
But a rogue e.g. jump server could now do this and print a second faked
SSH-like prompt:
(user@host) OTP:
Here, an intermediate rogue server might try to trick the user into
revealing the passphrase or OTP for some completely different server.
Not the most severe attack... but still, we've recently seen how
powerful social engineering can be.
Cheers,
Chris.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs