nhyatt/putty-source
1
0
Fork 0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-07-18 11:31:00 -05:00
Code Issues Projects Releases Wiki Activity

Add an interactive anti-spoofing prompt in Plink.

Browse Source 
At the point when we change over the seat's trust status to untrusted
for the last time, to finish authentication, Plink will now present a
final interactive prompt saying 'Press Return to begin session'. This
is a hint that anything after that that resembles an auth prompt
should be treated with suspicion, because _PuTTY_ thinks it's finished
authenticating.

This is of course an annoying inconvenience for interactive users, so
I've tried to reduce its impact as much as I can. It doesn't happen in
GUI PuTTY at all (because the trust sigil system is used instead); it
doesn't happen if you use plink -batch (because then the user already
knows that they _never_ expect an interactive prompt); and it doesn't
happen if Plink's standard input is being redirected from anywhere
other than the terminal / console (because then it would be pointless
for the server to try to scam passphrases out of the user anyway,
since the user isn't in a position to enter one in response to a spoof
prompt). So it should only happen to people who are using Plink in a
terminal for interactive login purposes, and that's not _really_ what
I ever intended Plink to be used for (which is why it's never had any
out-of-band control UI like OpenSSH's ~ system).

If anyone _still_ doesn't like this new prompt, it can also be turned
off using the new -no-antispoof flag, if the user is willing to
knowingly assume the risk.
This commit is contained in:
Simon Tatham
2019-03-10 14:42:33 +00:00
parent 76d8d363be
commit 514796b7e4
10 changed files with 140 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
unix/uxcons.c
View File

@ -414,8 +414,26 @@ static int console_askappend(LogPolicy *lp, Filename *filename,
return 0;
}
bool console_antispoof_prompt = true;
bool console_set_trust_status(Seat *seat, bool trusted)
{
if (console_batch_mode || !is_interactive() || !console_antispoof_prompt) {
/*
* In batch mode, we don't need to worry about the server
* mimicking our interactive authentication, because the user
* already knows not to expect any.
*
* If standard input isn't connected to a terminal, likewise,
* because even if the server did send a spoof authentication
* prompt, the user couldn't respond to it via the terminal
* anyway.
*
* We also vacuously return success if the user has purposely
* disabled the antispoof prompt.
*/
return true;
}
return false;
}