Subject: RE: Reflection for Secure IT Server

RE: Reflection for Secure IT Server

From: Xu, Qiang (FXSGSC) <>
Date: Tue, 4 May 2010 11:15:20 +0800

> -----Original Message-----
> From:
> [] On Behalf Of Peter Stuge
> Sent: Tuesday, May 04, 2010 11:07 AM
> To:
> Subject: Re: Reflection for Secure IT Server
> Good that it works. It is important to remember that the
> password prompt message is sent by the server, and not part
> of the example program.
> The libssh2 application can not know what prompt the server
> is sending. The application would be exactly the same if the
> server instead asked for a one-time-password, or asked the
> user a math question like "What is the solution for 59 + 22",
> or something else.

Got it, Peter! Now I see why it is in clear-text format. :-)
> I see your point, but all libssh2 examples are quite simple
> programs with no other purpose than demonstrating how the
> library is used.
> Hiding the user's response can be technically complicated,
> and is not very portable among all systems that libssh2 runs
> on. Also, the answer is not always something secret, such as
> in the case of OTP, or a math problem. Finally, the examples
> do not hide the password when it is entered on the command
> line (run ps www on the same system while the example is
> running) so I think it is also not a high priority to hide
> the responses during keyboard-interactive auth.

No problem for me. :-)

> At some point I may add similar code to all examples, but
> meanwhile please feel free to copy the code and the
> supporting code in main() into any other examples where it is
> useful for you. And if you like to also submit a patch that
> is of course most welcome! :)

At the mean time, I am busy engaging the interaction between libcurl and another SFTP server (Reflection for Secure IT Server). I am using libcurl to do sftp transfer to the server. Are you also on the libcurl list? If yes, maybe you can help a bit. :-)

Thanks a lot,
Xu Qiang
Received on 2010-05-04