From bdb3ac9f3b80b0c94c05261abc9cbe7b89a9ebea Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Sun, 23 Oct 2022 14:00:07 +0100 Subject: [PATCH] Restrict -pwfile / -pw to apply to server prompts only. Jacob spotted that an unused -pwfile input can be accidentally used as the answer to Plink's antispoof 'press Return to begin session' prompt, which is unintended and confusing. To fix that, I've made the use of a command-line password conditional on p->to_server, the flag in a prompts_t that indicates whether the results of the prompts are going to be sent directly to the server or consumed locally by PuTTY. (And I've also corrected the setting of to_server in the antispoof prompt, which was true when it should have been false.) A side effect of this is that -pwfile will no longer work to provide a private-key passphrase, if you're using public-key authentication without Pageant. This is deliberate, because if you're doing that on purpose then Pageant is a better way to achieve the same thing (or else just store the key unencrypted, which is no worse); but in the case of a server that sequentially demands public-key _and_ password authentication, the new behaviour makes -pwfile apply to the right one of the two prompts, i.e. the actual password. --- cmdline.c | 8 ++++++-- ssh/connection2.c | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/cmdline.c b/cmdline.c index 1aced283..812b71e7 100644 --- a/cmdline.c +++ b/cmdline.c @@ -87,9 +87,13 @@ SeatPromptResult cmdline_get_passwd_input( /* * We only handle prompts which don't echo (which we assume to be * passwords), and (currently) we only cope with a password prompt - * that comes in a prompt-set on its own. + * that comes in a prompt-set on its own. Also, we don't use a + * command-line password for any kind of prompt which is destined + * for local use rather than to be sent to the server: the idea is + * to pre-fill _passwords_, not private-key passphrases (for which + * there are better alternatives available). */ - if (p->n_prompts != 1 || p->prompts[0]->echo) { + if (p->n_prompts != 1 || p->prompts[0]->echo || !p->to_server) { return SPR_INCOMPLETE; } diff --git a/ssh/connection2.c b/ssh/connection2.c index f2f07b17..77b8d0ec 100644 --- a/ssh/connection2.c +++ b/ssh/connection2.c @@ -989,7 +989,7 @@ static void ssh2_connection_process_queue(PacketProtocolLayer *ppl) */ if (ssh2_connection_need_antispoof_prompt(s)) { s->antispoof_prompt = ssh_ppl_new_prompts(&s->ppl); - s->antispoof_prompt->to_server = true; + s->antispoof_prompt->to_server = false; s->antispoof_prompt->from_server = false; s->antispoof_prompt->name = dupstr("Authentication successful"); add_prompt(