1

I reinstalled one of my machines and gave it new ssh keys, which should yield warnings when I connect to it from a machine I have connected from earlier.

First I get the big warning that the remote host identifcation has changed, it shows me the correct new ED25519 fingerprint, tells me the line number of the offending key in ~/.ssh/known_hosts and how to remove it with ssh-keygen.

I remove the cached key and connect again. This time it warns about the key for the IP address, which is also expected.

I type "yes" in response to the question if I'm sure I want to continue connecting, and then I use keyboard-interactive/password authentication, having just remotely created the account and set a password on it.

So, what happens after I type the password and hit enter?

I get the same warnings again, but only slightly messed up with a staircase effect like on old printers, where LF only advanced the paper one row and CR was needed to go to the first column.

Kind of what could happen when messing with the terminal settings when reading a password from a shell script.

This is what it looks like (Notice the proper line breaks and the visible yes prior to password entry) :

staircase repeated warning

Am I using a trojaned ssh? I'm on ubuntu 14.04.2 LTS according to /etc/issue, and the md5sum of the ssh binary is 429980edd6458dff7b113f5f1e162d10 and it is 641664 bytes. Googling for the hash doesn't make me any more enthusiastic.

What should I do now, apart from changing all my passwords everywhere?

Why is it asking me again if I'm sure I want to continue, after supplying a valid password?

MattBianco
  • 231
  • 3
  • 9
  • 1
    I have the same size and same hash on my Ubuntu 14.04 LTS VM installed 2 weeks ago – Jyo de Lys Aug 03 '15 at 14:15
  • To me it looks like a display error, maybe your screen isn't big enough to display it properly, try maximizing your ssh client, sounds silly but it's happened to me :P – Purefan Aug 03 '15 at 14:29
  • 2
    That sort of staircasing is a associated with incorrect terminal handling which often happens with a remote session that doesn't think it's got a full terminal. While the range of things that can cause this is wide and varied, I would not assume a hacked anything based just on that. – gowenfawr Aug 03 '15 at 14:50
  • I agree that it is a problem with the terminal that causes the staircasing, but why does it ask again after I have submitted the password already? – MattBianco Aug 03 '15 at 15:06

1 Answers1

1

The effect you are seeing is due to mismatching terminal settings.

Historically some systems have been using two characters to implement a line-break. First character 13 to move the cursor to the start of the line. Then character 10 to move the cursor down. Others have been using just one character to implement a line-break, that is usually character 10 which would move the cursor to the start of the next line.

When the two are mixed up you may end up with only character 10 being sent to a terminal on which character 10 just moves the cursor down.

One way such a mixup can happen is if two programs try to use the terminal simultaneously. Maybe your ~/.ssh/config file is starting some other program together with your sshcommand.

kasperd
  • 5,402
  • 1
  • 19
  • 38
  • Still doesn't explain the repeated question after the successful authentication. I have nothing relevant in `~/.ssh/config`, and the system-wide settings are Ubuntu default I believe. Only `SendEnv LANG LC_*` that I can imagine have any bearing on this. – MattBianco Aug 04 '15 at 07:28
  • @MattBianco I could see the repeated question happen if you somehow have two `ssh` commands running inside the same terminal. There are multiple ways that could happen: `LocalCommand`, `ProxyCommand`, some rc script on the server side running an `ssh` command. I don't think `SendEnv` is responsible. – kasperd Aug 04 '15 at 07:52
  • I agree, but there are no such mechanisms in place here. Fresh remote account with no rc scripts, plain ssh and sshd configs on both sides (both user- and system-wide), and the repeated question is the exact same as the client already asked, (with client-side line numbers that the remote server definitely shouldn't know about), and it was indeed waiting for a yes/no answer. Wouldn't it make you wonder if the same thing happened to you? – MattBianco Aug 04 '15 at 11:16
  • @MattBianco I don't know enough about your exact setup to tell you why it is happening. The identical line numbers does indicate that it is likely for both `ssh` commands to be running locally. I suggest you take a look at a process tree when each of the three prompts is being displayed to see whether two `ssh` commands are running in that terminal. You can run `ps -fA --forest` in a different terminal. – kasperd Aug 04 '15 at 11:36