mmretail / parallel-ssh

Automatically exported from code.google.com/p/parallel-ssh
Other
0 stars 0 forks source link

better detection of ssh yes/no questions #81

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
Checking if prompt ends in 'password:' doesn't allow passphrases for key auth. 
Reverse logic to check for 'yes/no' question instead.

Original issue reported on code.google.com by unclemo...@gmail.com on 21 Feb 2013 at 5:11

Attachments:

GoogleCodeExporter commented 8 years ago
The problem is that in theory, ssh could ask anything. In the past, I've seen 
passwords and yes/no questions. Apparently (issue #80), it can also ask for the 
passphrase for a key. But in theory, it could also ask for a username or 
something else entirely. Clearly we can't perfectly detect whether or not a 
prompt is asking for some sort of password, and it's a shame that ssh doesn't 
have a more structured way of specifying what it wants in addition to sending a 
free-form prompt.

In general, I think it's best to be conservative and to only send a password if 
we're sure that it's requested. It would be a shame for passwords to 
accidentally end up in log files or other places, and this could happen for a 
long time before anyone would notice and report it as a bug in pssh. I could be 
persuaded to change the logic if the ssh behavior wasn't completely 
undocumented, but as it is, it seems like being paranoid with the input is the 
safe thing to do.

Do you agree with this? If not, I would be happy to hear arguments for the 
other side.

Original comment by amcna...@gmail.com on 21 Feb 2013 at 5:47