Maybe recommend against passwords starting with tilde (~)

[HenrikBengtsson]

Maybe we should recommend against passwords starting with a tilde (~). Tilde (~) is the default escape character in SSH and triggered when entered immediately after a newline. So, if a user SSH in and then enters their password starting with a tilde, they might be entering a world of pain ...

This should be verified to be a real problem before making this recommendation. It could be that the escape character is not triggered at the SSH password prompt. OTH, it could be that it is trigger when one SSH from login to development node.

Details:

$ man ssh
...
ESCAPE CHARACTERS
     When a pseudo-terminal has been requested, ssh supports a number of func‐
     tions through the use of an escape character.

     A single tilde character can be sent as ~~ or by following the tilde by a
     character other than those described below.  The escape character must
     always follow a newline to be interpreted as special.  The escape charac‐
     ter can be changed in configuration files using the EscapeChar configura‐
     tion directive or on the command line by the -e option.

     The supported escapes (assuming the default ‘~’) are:

     ~.      Disconnect.

     ~^Z     Background ssh.

     ~#      List forwarded connections.

     ~&      Background ssh at logout when waiting for forwarded connection /
             X11 sessions to terminate.

     ~?      Display a list of escape characters.

     ~B      Send a BREAK to the remote system (only useful if the peer sup‐
             ports it).

     ~C      Open command line.  Currently this allows the addition of port
             forwardings using the -L, -R and -D options (see above).  It also
             allows the cancellation of existing port-forwardings with
             -KL[bind_address:]port for local, -KR[bind_address:]port for re‐
             mote and -KD[bind_address:]port for dynamic port-forwardings.
             !command allows the user to execute a local command if the
             PermitLocalCommand option is enabled in ssh_config(5).  Basic
             help is available, using the -h option.

     ~R      Request rekeying of the connection (only useful if the peer sup‐
             ports it).

     ~V      Decrease the verbosity (LogLevel) when errors are being written
             to stderr.

     ~v      Increase the verbosity (LogLevel) when errors are being written
             to stderr.

[ellestad]

Did you notice a tilde in an account name? I don't think it should be allowed by the form?

[HenrikBengtsson]

Did you notice a tilde in an account name? I don't think it should be allowed by the form?

Sorry for not being clear. I'm talking about passwords here. Both the random temporary ones and the ones set by the user themselves. I'm concerned about the following:

[log1]: ssh alice@dev1
alice@dev1's password: 

If the password for alice starts with a tilde (~), then typing tilde at this SSH password prompt will be interpreted by original/initial SSH as its special escape character, and put the terminal into a different, invisible mode where the keypresses are no longer interpreted as a password but a control sequences for SSH.

I've just verified that this is the case; For example, if you type ~ and ., the SSH connection (all the way back) is terminated, e.g.

[alice@log1 ~]$ ssh alice@dev1
alice@dev1's password: Connection to log1.wynton.ucsf.edu closed.
[ab@local ~] $ 

Another example is, if you type ~ and ? at the SSH prompt, you'll get:

[alice@log1 ~]$ ssh alice@dev1
alice@dev1's password: 
Supported escape sequences:
 ~.   - terminate connection (and any multiplexed sessions)
 ~B   - send a BREAK to the remote system
 ~C   - open a command line
 ~R   - request rekey
 ~V/v - decrease/increase verbosity (LogLevel)
 ~^Z  - suspend ssh
 ~#   - list forwarded connections
 ~&   - background ssh (when waiting for connections to terminate)
 ~?   - this message
 ~~   - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)

where SSH is now again listening for password entry.

So, having a password starting with tilde (~) wreaks havoc unless you really know what you're doing, i.e. you'll have to type tilde twice for that first tilde in your password.