Don't send input over the wire if terminal echo is disabled

Question

Don't send input over the wire if terminal echo is disabled

byroot opened this issue 11 years ago · 3 comments

Hi,

After a quick check it seems that when the terminal echo is disabled (typically used to type passwords) the keystroke is still sent to the server.

It may be a good idea to check terminal echo before sending data.

Regards.

Answer 1 · 2013-07-20T00:12:26.000Z

This is a good idea, but my tty-fu is weak. If you have any suggestions on how best to implement this, I'm all ears.

Answer 2 · 2013-10-16T00:55:41.000Z

We actually tested this implementation. It turns out that echo is almost always disabled. The shell is responsible for echoing in most cases. The only time we ever found echoing enabled was in cat.

Answer 3 · 2014-04-22T19:15:56.000Z

Update: We've changed flootty so that the owner of a terminal never sends the actual data typed to us. It only sends a "user typed something" event, and only every two seconds at most. This means that passwords not sent to us. In fact, not even the length of the password is sent.

Of course, anyone joining the terminal has to send the input to us, and we have to forward that data to the terminal owner.

Still, I think this solves the problem in this issue. Closing.