Subject: Re: Reflection for Secure IT Server

Re: Reflection for Secure IT Server

From: Peter Stuge <>
Date: Tue, 4 May 2010 05:07:19 +0200

Xu, Qiang (FXSGSC) wrote:
> Yes, your patch is verified to work well. If the server enables
> "Password authentication using keyboard interactive", it will tell
> me the authentication mode is
> "Authentication methods: keyboard-interactive", and I'll be
> prompted to submit the password.

Good that it works. It is important to remember that the password
prompt message is sent by the server, and not part of the example

The libssh2 application can not know what prompt the server is
sending. The application would be exactly the same if the server
instead asked for a one-time-password, or asked the user a math
question like "What is the solution for 59 + 22", or something else.

> If the same setting is disabled, it will tell me
> "Authentication methods: password" (public key authentication has
> been denied at the server's end), and the password must be provided
> together with the command.
> The only shortcoming is that, the password I type is in clear-text
> mode. Wouldn't it be better if it shows something like "*********"
> when I am typing the password?

I see your point, but all libssh2 examples are quite simple programs
with no other purpose than demonstrating how the library is used.

Hiding the user's response can be technically complicated, and is not
very portable among all systems that libssh2 runs on. Also, the
answer is not always something secret, such as in the case of OTP, or
a math problem. Finally, the examples do not hide the password when
it is entered on the command line (run ps www on the same system
while the example is running) so I think it is also not a high
priority to hide the responses during keyboard-interactive auth.

> By the way, in my testing, I am using "example/sftp_write.c". Could
> you provide a similar patch for sftp_write.c?

At some point I may add similar code to all examples, but meanwhile
please feel free to copy the code and the supporting code in main()
into any other examples where it is useful for you. And if you like
to also submit a patch that is of course most welcome! :)

Received on 2010-05-04