3439 – identify password prompts

Bug 3439 - identify password prompts

Summary: identify password prompts

Status:	CLOSED WORKSFORME

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	Miscellaneous (show other bugs)
Version:	9.0p1
Hardware:	Other Linux

Importance:	P5 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-06-01 13:54 AEST by tar.ancalime.numenor
Modified:	2022-10-04 21:58 AEDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description tar.ancalime.numenor 2022-06-01 13:54:30 AEST

Dear developers.

Since a while, I have more and more systems where I use ProxyJump and have to either use a passphrase (and cannot use a pubkey) and/or enter a 2FA-OTP.

I have no idea who prints the respective prompts, I'd assume the normal passphrase prompt is printed by OpenSSH client, but the OTP prompt by the remote server?
At least I have some OTP prompts where I get some valuable information about which OTP is requested, and others where I just see "Your OTP:".

In any case, with multiple ProxyJump hops respectively, when doing scp, with multiple source servers, things can get quite messy.

Then one get's multiple prompts that may be identical and has to think "where" one is.

Would it be possible to add an option, that ssh/scp/sftp prefix these prompts?
For example with the respecitve hostname and, if OpenSSH can differ between what is a normal passphrase request and a OTP, the "type" of information that is queried?

The default of such option could be "no", so and people could just selectively enable it when needed.


Thanks in advance, if it should be possible to have this implemented.

Comment 1 Darren Tucker 2022-06-01 15:47:06 AEST

Are you sure this happens with 9.0?  That should have been fixed by bug#3224.

Comment 2 Darren Tucker 2022-06-27 16:55:51 AEST

(In reply to tar.ancalime.numenor from comment #0)
> I have no idea who prints the respective prompts, I'd assume the
> normal passphrase prompt is printed by OpenSSH client, but the OTP
> prompt by the remote server?

There are two types of prompts:
1) Prompts for ssh "password" authentication method.  These are generated by the client and look like this (and have for quite some time):

$ ssh -o preferredauthentications=password localhost
dtucker@localhost's password: 

2) prompts for "keyboard-interactive" authentication method.  These are generated by the server (usually via the PAM config) and can look like pretty much anything.  For a simple PAM configuration with password authentication they'll typically look something like "Password: ", but could be your OTP prompts if that's what you have.  Since 8.5, these with be prefixed by "(user@host)" to identify them:

$ ssh -o preferredauthentications=keyboard-interactive localhost
(dtucker@localhost) Password:

If you can reproduce this behaviour with 9.0 or above, please reopen this bug and attach the full debug output "ssh -vvv yourserver" demonstrating the problem.

Comment 3 Damien Miller 2022-10-04 21:58:00 AEDT

Closing bugs from OpenSSH 9.1 release cycle