Bug 3224 - SSH should be (optionally) clear whose password is asked for
Summary: SSH should be (optionally) clear whose password is asked for
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 8.3p1
Hardware: Other Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_8_5
  Show dependency treegraph
 
Reported: 2020-10-27 08:30 AEDT by Luiz Angelo Daros de Luca
Modified: 2021-04-23 15:00 AEST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Luiz Angelo Daros de Luca 2020-10-27 08:30:06 AEDT 
Hello,

I'm frequent user of ssh jump hosts, proxy commands and 'scp -3' I have a problem with all of those when ssh/scp askes me for a password. I'm mostly not sure who and where is authenticating. I just get a plain "Password: " prompt. I normally increase verbose to workaround it. However, using debug is not a real fix.

It is even harder to know when I use control master. I don't know if it is using an existing control master, skipping the "Password: " step, or if it is asking for the password to create a new control master. I could be typing a password for the first server and sending it to a second one.
If that second server is malicious, it might be able to use that password (intended for the first server) to grab sensitive information.

Please, add a optional way to always prefix Password prompt with "user@host", just like "password" authentication method already does for every method that asks for a password.
Comment 1 Damien Miller 2020-11-16 13:31:09 AEDT 
as of 5442b491d, OpenSSH will now prefix keyboard-interactive prompts with "(user@host)".

This should be in the OpenSSH 8.5 release - thanks!
Comment 2 Damien Miller 2021-04-23 15:00:22 AEST 
closing resolved bugs as of 8.6p1 release