Add an interactive anti-spoofing prompt in Plink.

At the point when we change over the seat's trust status to untrusted for the last time, to finish authentication, Plink will now present a final interactive prompt saying 'Press Return to begin session'. This is a hint that anything after that that resembles an auth prompt should be treated with suspicion, because _PuTTY_ thinks it's finished authenticating. This is of course an annoying inconvenience for interactive users, so I've tried to reduce its impact as much as I can. It doesn't happen in GUI PuTTY at all (because the trust sigil system is used instead); it doesn't happen if you use plink -batch (because then the user already knows that they _never_ expect an interactive prompt); and it doesn't happen if Plink's standard input is being redirected from anywhere other than the terminal / console (because then it would be pointless for the server to try to scam passphrases out of the user anyway, since the user isn't in a position to enter one in response to a spoof prompt). So it should only happen to people who are using Plink in a terminal for interactive login purposes, and that's not _really_ what I ever intended Plink to be used for (which is why it's never had any out-of-band control UI like OpenSSH's ~ system). If anyone _still_ doesn't like this new prompt, it can also be turned off using the new -no-antispoof flag, if the user is willing to knowingly assume the risk.
2025-07-01 03:22:48 -05:00 · 2019-03-10 14:42:33 +00:00
parent 76d8d363be
commit 514796b7e4
10 changed files with 140 additions and 1 deletions
--- a/unix/uxcons.c
+++ b/unix/uxcons.c
@ -414,8 +414,26 @@ static int console_askappend(LogPolicy *lp, Filename *filename,
 	return 0;
 }

+bool console_antispoof_prompt = true;
 bool console_set_trust_status(Seat *seat, bool trusted)
 {
+    if (console_batch_mode || !is_interactive() || !console_antispoof_prompt) {
+        /*
+         * In batch mode, we don't need to worry about the server
+         * mimicking our interactive authentication, because the user
+         * already knows not to expect any.
+         *
+         * If standard input isn't connected to a terminal, likewise,
+         * because even if the server did send a spoof authentication
+         * prompt, the user couldn't respond to it via the terminal
+         * anyway.
+         *
+         * We also vacuously return success if the user has purposely
+         * disabled the antispoof prompt.
+         */
+        return true;
+    }
+
    return false;
 }

--- a/unix/uxplink.c
+++ b/unix/uxplink.c
@ -534,6 +534,8 @@ static void usage(void)
           "-no-sanitise-stderr, -no-sanitise-stdout\n");
    printf("            do/don't strip control chars from standard "
           "output/error\n");
+    printf("  -no-antispoof   omit anti-spoofing prompt after "
+           "authentication\n");
    printf("  -m file   read remote command(s) from file\n");
    printf("  -s        remote command is an SSH subsystem (SSH-2 only)\n");
    printf("  -N        don't start a shell/command (SSH-2 only)\n");
@ -678,6 +680,8 @@ int main(int argc, char **argv)
        } else if (!strcmp(p, "-no-sanitise-stderr") ||
                   !strcmp(p, "-no-sanitize-stderr")) {
            sanitise_stderr = FORCE_OFF;
+        } else if (!strcmp(p, "-no-antispoof")) {
+            console_antispoof_prompt = false;
 	} else if (*p != '-') {
            strbuf *cmdbuf = strbuf_new();