From 64712be3cbc4a02bda4a92ca97e8d4f294abbe9a Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Thu, 27 Feb 2025 12:51:18 +0000 Subject: [PATCH] Non-SSH backends: delay setting trust status to false. A user reported recently that if you connect to a Telnet server via a proxy that requires authentication, and enter the auth details manually in the PuTTY terminal window, then the entire Telnet session is shown with trust sigils to its left. This happens because telnet.c calls seat_set_trust_status(false) as soon as it's called new_connection() to make the Socket. But the interactive proxy authentication dialogue hasn't happened yet, at that point. So the proxy resets the trust status to true and asks for a username and password, and then nothing ever resets it to false, because telnet.c thought it had already done that. The solution is to defer the Telnet backend's change of trust status to when we get the notification that the socket is properly connected, which arrives via plug_log(PLUGLOG_CONNECT_SUCCESS). The same bug occurs in raw.c and supdup.c, but not in rlogin.c, because Rlogin has an initial authentication exchange known to the protocol, and already delays resetting the trust status until after that has concluded. --- otherbackends/raw.c | 6 +++--- otherbackends/supdup.c | 4 +++- otherbackends/telnet.c | 6 +++--- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/otherbackends/raw.c b/otherbackends/raw.c index 9fc5e4c8..01c776e2 100644 --- a/otherbackends/raw.c +++ b/otherbackends/raw.c @@ -47,6 +47,9 @@ static void raw_log(Plug *plug, Socket *s, PlugLogType type, SockAddr *addr, raw->socket_connected = true; if (raw->ldisc) ldisc_check_sendok(raw->ldisc); + + /* No local authentication phase in this protocol */ + seat_set_trust_status(raw->seat, false); } } @@ -210,9 +213,6 @@ static char *raw_init(const BackendVtable *vt, Seat *seat, if ((err = sk_socket_error(raw->s)) != NULL) return dupstr(err); - /* No local authentication phase in this protocol */ - seat_set_trust_status(raw->seat, false); - loghost = conf_get_str(conf, CONF_loghost); if (*loghost) { char *colon; diff --git a/otherbackends/supdup.c b/otherbackends/supdup.c index f9680f30..8f814797 100644 --- a/otherbackends/supdup.c +++ b/otherbackends/supdup.c @@ -570,6 +570,9 @@ static void supdup_log(Plug *plug, Socket *s, PlugLogType type, SockAddr *addr, supdup->socket_connected = true; if (supdup->ldisc) ldisc_check_sendok(supdup->ldisc); + + /* No local authentication phase in this protocol */ + seat_set_trust_status(supdup->seat, false); } } @@ -812,7 +815,6 @@ static char *supdup_init(const BackendVtable *x, Seat *seat, * We next expect a connection message followed by %TDNOP from the server */ supdup->state = CONNECTING; - seat_set_trust_status(supdup->seat, false); /* Make sure the terminal is in UTF-8 mode. */ c_write(supdup, (unsigned char *)utf8, strlen(utf8)); diff --git a/otherbackends/telnet.c b/otherbackends/telnet.c index 2f12722c..7f1e4977 100644 --- a/otherbackends/telnet.c +++ b/otherbackends/telnet.c @@ -615,6 +615,9 @@ static void telnet_log(Plug *plug, Socket *s, PlugLogType type, SockAddr *addr, telnet->socket_connected = true; if (telnet->ldisc) ldisc_check_sendok(telnet->ldisc); + + /* No local authentication phase in this protocol */ + seat_set_trust_status(telnet->seat, false); } } @@ -765,9 +768,6 @@ static char *telnet_init(const BackendVtable *vt, Seat *seat, if ((err = sk_socket_error(telnet->s)) != NULL) return dupstr(err); - /* No local authentication phase in this protocol */ - seat_set_trust_status(telnet->seat, false); - telnet->pinger = pinger_new(telnet->conf, &telnet->backend); /*