DomTerm icon indicating copy to clipboard operation
DomTerm copied to clipboard

Published 20 hours ago verified publisher icon PerBothner

DomTerm showing my password on input via ssh

Open SunflowerFuchs opened this issue 6 years ago • 6 comments

When i'm connected over ssh and sudo any command, every character i type during that password prompt gets shown inside the <span class="pending">, which, for a password prompt, is quite unfortunate.

I'm at the current masters HEAD again (572231e).

SunflowerFuchs avatar Jun 28 '18 15:06 SunflowerFuchs

Looks like only the first part of the password (until the first round-trip) is briefly visible. So it may be an ok tradeoff for someone on a slow line. But perhaps it should an option.

The problem is DomTerm can't know if echo is on without asking the server, which takes a roundtrip, which defeats the purpose. (Asking for notification when echo changes would be great, but difficult and brittle.) One could try a heuristic, like if it's the first input character, but not the first character on the line (i.e. follows a prompt), then don't display pending input. An alternative is for the server to check if echo is on when sending output to the client. That could be expensive, so it could use heuristics (like an output string with at least 6 characters, no escape, and not ending in newline).

I wonder how mosh handles this.

PerBothner avatar Jun 28 '18 18:06 PerBothner

I missed the point that your concern is pending-echo of passwords after ssh into a remote computer. In that case "asking the server" if echo is on won't help since the server is the local server (running domterm) and that will always be in raw non-echo mode when ssh-ing.

I do note that many "password" widgets will briefly show the most recent character typed, which isn't that different from what you experience with DomTerm predictive echo (though the latter will depend unpredictably on network latency).

Ideally you'd run a domterm server on the remote computer - like mosh does. However, that isn't as convenient or friendly as it should be. See http://domterm.org/Remote-serving.html . I'd like to be able to have a local domterm automatically start up a remote domterm over ssh, and then forward between them using ssh. I think that would be nice, but I haven't implemented it.

Regardless, there should be an option to disable predictive echo, and might as well follow mosh in having a --predict option.

PerBothner avatar Aug 04 '18 00:08 PerBothner

I'm seeing this during sudo on WSL in all cases. It renders *'s, and then after pressing return the *'s change into the actual entered password (backend: Electron).

lypanov avatar Jan 11 '20 22:01 lypanov

@lypanov "after pressing return the *'s change into the actual entered password"

I just tried this on WSL, and I'm not seeing this: after pressing return the *'s are removed.

I'm using the latest DomTerm git master - I remember seeing behavior similar to what you reported, but I believe they were fixed in November. I'm using Windows 1909 build 18363 with Ubuntu 18.04.03 LTS.

If you can specify exactly which commands you're running, under which shell, I can test it out.

PerBothner avatar Jan 12 '20 06:01 PerBothner

I changed some things in how "enter" is processed, especially when in password mode. Let me know if things are better, and what annoyances remain.

PerBothner avatar Jan 14 '20 00:01 PerBothner

Excellent this has fixed my specific issue! Thank you!

I still do see a brief display of the current character, but, as you noticed, this seems to be the password entry widget itself.

lypanov avatar Jan 14 '20 07:01 lypanov