User: Password:
|
|
Subscribe / Log in / New account

not really

not really

Posted Sep 18, 2008 7:20 UTC (Thu) by dlang (subscriber, #313)
In reply to: OpenSSH and keystroke timings by bronson
Parent article: OpenSSH and keystroke timings

how would ssh know that you are sending a password?

do you _really_ want your transport layer to start guessing at what strings may be password prompts that should shift you into line-based mode instead of character mode? what if that string shows up in the middle of an image while you are playing a game, do you really want it to start buffering all your keystrokes (and not showing you) until you hit enter?

the only fix for this is to waste bandwidth by sending garbage packets.

my solution, try to sidestep the problem by using hardware token based authentication wherever possible rather then passwords (even over encrypted links)


(Log in to post comments)

not really

Posted Sep 18, 2008 8:53 UTC (Thu) by epa (subscriber, #39769) [Link]

how would ssh know that you are sending a password?
Password prompts already send special magic characters to the tty to turn off echoing. It would need only a small extension to su(1) or ssh(1) to make them echo a new sequence meaning 'I am reading a password now'. The remote ssh client would note this and batch up a whole line of input to send at once.

not really

Posted Sep 18, 2008 18:18 UTC (Thu) by djm (subscriber, #11651) [Link]

Actually OpenSSH already defends against this case: we detect when echo is turned off and send fake echo (SSH2_MSG_IGNORE) packets back in responses to keystrokes. This makes it more difficult for an attacker to tell when the user is actually typing in a password.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds