On 8/7/23 1:06 PM, Thorsten Glaser wrote:
On Mon, 7 Aug 2023, Howard Chu wrote:
The keystroke timing issue would be solved by adding LINEMODE support as I did back in 2010.
https://lists.mindrot.org/pipermail/openssh-unix-dev/2010-June/028732.html
Local line editing by using GNU libreadline? *shudder* No, thanks.
I also ported it to use libedit instead, but readline is more widely used.
Yeah, same point though. I actually did work with such a system once,
namely Android adb before they removed the local line editing part
once they had imported mksh, and it was awful. You lose any sort of
connection to the command line input mode of the remote shell (not
everyone uses a shell backed by libreadline/libedit), and even
passwords would show up in the scrollback, etc. but the worst is the
missing tab completion.
I also doubt it will catch many relevant use cases, e.g. editors.
I think these are valid critiques and using something like this against
a "maybe it's an issue" thing is a bit heavy at this point. However, as
an intellectual exercise, could interpacket timing actually be a
potential information leak in an interactive ssh session? If so, then
how much a threat is it really? So assuming that it could be done and
that it's a reasonable threat how would we go about mitigating it?
Honestly, just curious about what people think. I don't know if this
could ever be a real issue or if I'm just being overly imaginative.
Chris
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
