Bug 3224

Summary: SSH should be (optionally) clear whose password is asked for
Product: Portable OpenSSH Reporter: Luiz Angelo Daros de Luca <luizluca>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: enhancement CC: djm
Priority: P5    
Version: 8.3p1   
Hardware: Other   
OS: Linux   
Bug Depends on:    
Bug Blocks: 3217    

Description Luiz Angelo Daros de Luca 2020-10-27 08:30:06 AEDT 
Hello,

I'm frequent user of ssh jump hosts, proxy commands and 'scp -3' I have a problem with all of those when ssh/scp askes me for a password. I'm mostly not sure who and where is authenticating. I just get a plain "Password: " prompt. I normally increase verbose to workaround it. However, using debug is not a real fix.

It is even harder to know when I use control master. I don't know if it is using an existing control master, skipping the "Password: " step, or if it is asking for the password to create a new control master. I could be typing a password for the first server and sending it to a second one.
If that second server is malicious, it might be able to use that password (intended for the first server) to grab sensitive information.

Please, add a optional way to always prefix Password prompt with "user@host", just like "password" authentication method already does for every method that asks for a password.
Comment 1 Damien Miller 2020-11-16 13:31:09 AEDT 
as of 5442b491d, OpenSSH will now prefix keyboard-interactive prompts with "(user@host)".

This should be in the OpenSSH 8.5 release - thanks!
Comment 2 Damien Miller 2021-04-23 15:00:22 AEST 
closing resolved bugs as of 8.6p1 release