Bug 3439

Summary: identify password prompts
Product: Portable OpenSSH Reporter: tar.ancalime.numenor
Component: MiscellaneousAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WORKSFORME    
Severity: enhancement CC: dtucker
Priority: P5    
Version: 9.0p1   
Hardware: Other   
OS: Linux   

Description tar.ancalime.numenor 2022-06-01 13:54:30 AEST 
Dear developers.

Since a while, I have more and more systems where I use ProxyJump and have to either use a passphrase (and cannot use a pubkey) and/or enter a 2FA-OTP.

I have no idea who prints the respective prompts, I'd assume the normal passphrase prompt is printed by OpenSSH client, but the OTP prompt by the remote server?
At least I have some OTP prompts where I get some valuable information about which OTP is requested, and others where I just see "Your OTP:".

In any case, with multiple ProxyJump hops respectively, when doing scp, with multiple source servers, things can get quite messy.

Then one get's multiple prompts that may be identical and has to think "where" one is.

Would it be possible to add an option, that ssh/scp/sftp prefix these prompts?
For example with the respecitve hostname and, if OpenSSH can differ between what is a normal passphrase request and a OTP, the "type" of information that is queried?

The default of such option could be "no", so and people could just selectively enable it when needed.


Thanks in advance, if it should be possible to have this implemented.
Comment 1 Darren Tucker 2022-06-01 15:47:06 AEST 
Are you sure this happens with 9.0?  That should have been fixed by bug#3224.
Comment 2 Darren Tucker 2022-06-27 16:55:51 AEST 
(In reply to tar.ancalime.numenor from comment #0)
> I have no idea who prints the respective prompts, I'd assume the
> normal passphrase prompt is printed by OpenSSH client, but the OTP
> prompt by the remote server?

There are two types of prompts:
1) Prompts for ssh "password" authentication method.  These are generated by the client and look like this (and have for quite some time):

$ ssh -o preferredauthentications=password localhost
dtucker@localhost's password: 

2) prompts for "keyboard-interactive" authentication method.  These are generated by the server (usually via the PAM config) and can look like pretty much anything.  For a simple PAM configuration with password authentication they'll typically look something like "Password: ", but could be your OTP prompts if that's what you have.  Since 8.5, these with be prefixed by "(user@host)" to identify them:

$ ssh -o preferredauthentications=keyboard-interactive localhost
(dtucker@localhost) Password:

If you can reproduce this behaviour with 9.0 or above, please reopen this bug and attach the full debug output "ssh -vvv yourserver" demonstrating the problem.
Comment 3 Damien Miller 2022-10-04 21:58:00 AEDT 
Closing bugs from OpenSSH 9.1 release cycle