diff options
| author | Simon Tatham <anakin@pobox.com> | 2022-10-23 16:00:07 +0300 |
|---|---|---|
| committer | Simon Tatham <anakin@pobox.com> | 2022-10-23 16:13:55 +0300 |
| commit | bdb3ac9f3b80b0c94c05261abc9cbe7b89a9ebea (patch) | |
| tree | 8a3320ba08dc5205403a87673ed71b0a84a7a82c | |
| parent | 2fbb9284f35ea66a39c1744adc417f346417780c (diff) | |
Restrict -pwfile / -pw to apply to server prompts only.
Jacob spotted that an unused -pwfile input can be accidentally used as
the answer to Plink's antispoof 'press Return to begin session'
prompt, which is unintended and confusing.
To fix that, I've made the use of a command-line password conditional
on p->to_server, the flag in a prompts_t that indicates whether the
results of the prompts are going to be sent directly to the server or
consumed locally by PuTTY. (And I've also corrected the setting of
to_server in the antispoof prompt, which was true when it should have
been false.)
A side effect of this is that -pwfile will no longer work to provide a
private-key passphrase, if you're using public-key authentication
without Pageant. This is deliberate, because if you're doing that on
purpose then Pageant is a better way to achieve the same thing (or
else just store the key unencrypted, which is no worse); but in the
case of a server that sequentially demands public-key _and_ password
authentication, the new behaviour makes -pwfile apply to the right one
of the two prompts, i.e. the actual password.
| -rw-r--r-- | cmdline.c | 8 | ||||
| -rw-r--r-- | ssh/connection2.c | 2 |
2 files changed, 7 insertions, 3 deletions
@@ -87,9 +87,13 @@ SeatPromptResult cmdline_get_passwd_input( /* * We only handle prompts which don't echo (which we assume to be * passwords), and (currently) we only cope with a password prompt - * that comes in a prompt-set on its own. + * that comes in a prompt-set on its own. Also, we don't use a + * command-line password for any kind of prompt which is destined + * for local use rather than to be sent to the server: the idea is + * to pre-fill _passwords_, not private-key passphrases (for which + * there are better alternatives available). */ - if (p->n_prompts != 1 || p->prompts[0]->echo) { + if (p->n_prompts != 1 || p->prompts[0]->echo || !p->to_server) { return SPR_INCOMPLETE; } diff --git a/ssh/connection2.c b/ssh/connection2.c index f2f07b17..77b8d0ec 100644 --- a/ssh/connection2.c +++ b/ssh/connection2.c @@ -989,7 +989,7 @@ static void ssh2_connection_process_queue(PacketProtocolLayer *ppl) */ if (ssh2_connection_need_antispoof_prompt(s)) { s->antispoof_prompt = ssh_ppl_new_prompts(&s->ppl); - s->antispoof_prompt->to_server = true; + s->antispoof_prompt->to_server = false; s->antispoof_prompt->from_server = false; s->antispoof_prompt->name = dupstr("Authentication successful"); add_prompt( |