https://bugs.kde.org/show_bug.cgi?id=513788
Bug ID: 513788
Summary: ksshaspass is error prone and susceptible to misuse,
steals the keyboard focus and input from other
windows.
Classification: I don't know
Product: kde
Version First unspecified
Reported In:
Platform: Other
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
KDE distributions such as Kubuntu 25.10 do come with
SSH_ASKPASS=/usr/bin/ksshaskpass
which is suitable only if you do use manually launched single ssh connections.
Once you do use ssh from within a script or launched from another program with
some delay, e.g. when using Ansible, or some scripts which first generate some
file(s) and then scp or rsync them, this goes wrong:
When doing some other work, e.g. using a web browser or writing into an editor,
while running a program makeing use of ssh (e.g. Ansible), ksshaskpass pops up
suddenly and *immediately*, faster than the user can respond and interrupt,
graps the keyboard focus. Keystrokes, meant for e.g. the editor or web browser,
go directly to ksshaskpass, and if it was a return key, the use of the ssh key
is unintentionally – and without a chance to read the request – confirmed. This
neutralizes the function of using ssh-agent confirmation to increase security,
if the confirmation requester steals input given to other programs and accepts
them as confirmation.
It can even stack password requests, and then fail. e.g. if the pasword is
"123456", it can happen, e.g. when programs like Ansible use ssh to login to
several machines simultaneously, that the user enters "1", a second requester
opens on top, the user continues to enter the password, thus entering "23456"
into a new requester, which then fails.
--
You are receiving this mail because:
You are watching all bug changes.
