LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-28-2013, 03:16 PM   #1
georgewhr
Member
 
Registered: Nov 2012
Location: SF Bay Area
Posts: 45

Rep: Reputation: Disabled
where does ssh password prompt go?


Hello guys, I m trying to catch up the password prompt, but I m not sure where does it go, here is the example.

georgew@myLinux$ssh root@155.226.168.69
root@155.226.166.69's password: //This string seems does not go to stdout or stder

when I type: ssh root@155.226.168.69 1> file, that string is not appended to that file.

Any people know where "root@155.226.166.69's password:" go?

Thanks
 
Old 05-28-2013, 09:11 PM   #2
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 151Reputation: 151
Is there a reason you don't want to use keys for this? It's not something I've had to do for a while, but generating keys without a passphrase used to do the job (you may also be able to use an agent to cache the passphrase). Also, does it have to be done as root?
 
1 members found this post helpful.
Old 05-28-2013, 09:51 PM   #3
frankbell
Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Mageia, Mint
Posts: 7,701

Rep: Reputation: 1458Reputation: 1458Reputation: 1458Reputation: 1458Reputation: 1458Reputation: 1458Reputation: 1458Reputation: 1458Reputation: 1458Reputation: 1458
I would guess from a position of complete ignorance that the password goes to stdin.
 
Old 06-20-2013, 03:24 PM   #4
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 2,189

Rep: Reputation: 567Reputation: 567Reputation: 567Reputation: 567Reputation: 567Reputation: 567
Nope.

Ssh does not use stdin for passwords. It opens a file descriptor for the device /dev/tty which is linked (per user) to the device tty being used (either pty or tty).

This is necessary because stdin may be normal data (as in scp - which is a ssh client that transfers files), OR because stdin may be redirected from command lists (shell scripts - sending commands to a remote login) or something as simple as "ssh remotehost 'cat >file' <input_file".

The password must come from a "trusted source", and stdin is not it. Also note that the prompt for the password doesn't go to stderr either. It too is output over a file descriptor (for write) to /dev/tty.

This is also why things like the "expect" utility are used to fake a "trusted source" by using a pseudo terminal to run ssh on, then it can examine the responses and send appropriate data to the pseudo terminal.

Last edited by jpollard; 06-20-2013 at 03:26 PM.
 
2 members found this post helpful.
Old 06-20-2013, 06:23 PM   #5
frankbell
Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Mageia, Mint
Posts: 7,701

Rep: Reputation: 1458Reputation: 1458Reputation: 1458Reputation: 1458Reputation: 1458Reputation: 1458Reputation: 1458Reputation: 1458Reputation: 1458Reputation: 1458
Nice explanation. Thanks for clearing up my ignorance.
 
Old 06-20-2013, 09:02 PM   #6
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,377

Rep: Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108Reputation: 1108
And still what you want to be doing here is certificates ... with password-prompts specifically turned off.

If you want to go into that door, then you must present a badge that has been uniquely issued to you and that cannot be forged. You must also know the passphrase that was used to lock (encrypt ...) that key, in order to be able to use it at all.

Password-prompting should be "not an option." No one is even given an opportunity to "say the magic word." You must have your badge.
 
Old 06-26-2013, 01:10 PM   #7
georgewhr
Member
 
Registered: Nov 2012
Location: SF Bay Area
Posts: 45

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by jpollard View Post
Nope.

Ssh does not use stdin for passwords. It opens a file descriptor for the device /dev/tty which is linked (per user) to the device tty being used (either pty or tty).

This is necessary because stdin may be normal data (as in scp - which is a ssh client that transfers files), OR because stdin may be redirected from command lists (shell scripts - sending commands to a remote login) or something as simple as "ssh remotehost 'cat >file' <input_file".

The password must come from a "trusted source", and stdin is not it. Also note that the prompt for the password doesn't go to stderr either. It too is output over a file descriptor (for write) to /dev/tty.

This is also why things like the "expect" utility are used to fake a "trusted source" by using a pseudo terminal to run ssh on, then it can examine the responses and send appropriate data to the pseudo terminal.
Thanks for the nice explain
So the password prompt goes to a descriptor from /dev/tty,which is considered to be a trusted source, is it correct?
 
Old 06-26-2013, 02:53 PM   #8
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 2,189

Rep: Reputation: 567Reputation: 567Reputation: 567Reputation: 567Reputation: 567Reputation: 567
yes.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh - scripts - password prompt deelinux Linux - Newbie 3 08-06-2010 05:37 AM
Delay before password prompt over ssh. cov Linux - Networking 14 07-16-2009 01:53 PM
ssh no password prompt dtra Linux - Software 9 05-25-2005 01:08 PM
ssh without the password prompt markehb Linux - Networking 27 03-25-2004 11:12 AM
remote command over ssh, password prompt linowes Linux - General 2 10-27-2002 08:22 PM


All times are GMT -5. The time now is 01:17 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration