Unexpected conflicting initials prompt is dangerous

vmware-archive / usb-login-scripts

A formal repository for the scripts we use on our SSH-loading USB sticks

Apache License 2.0

28 stars 10 forks source link

Unexpected conflicting initials prompt is dangerous #8

Closed davidje13 closed 7 years ago

davidje13 commented 7 years ago

The typical flow for this script is to run it and enter a password, but if conflicting git duet initials are detected on the machine it will instead ask for an alternative set of initials. This is dangerous since the user is expecting to enter a password at this point.

Alternative initials should either be asked for AFTER the password prompts, or be obvious to the point where a user not paying attention will notice the difference without risking revealing their password.

davidje13 commented 7 years ago

Resolved by 4bbe548a7f149ed48cd34e0505bebf6585ebfc91