serious security bug - auto completion reveals password

[melspectrum]

Prerequisites

• Write a descriptive title.
• Make sure you are able to repro it on the latest released version
• Search the existing issues.
• Refer to the FAQ.
• Refer to Differences between Windows PowerShell 5.1 and PowerShell.

Steps to reproduce

For example, when entering
ssh-add my-personal-private-key, the auto-completion shows
ssh-add my-personal-private-key [my passphrase] in plain text

Expected behavior

do not auto-complete password input

Actual behavior

shows password in plain text

Error details

No response

Environment data

Name                           Value
----                           -----
PSVersion                      7.4.2
PSEdition                      Core
GitCommitId                    7.4.2
OS                             Microsoft Windows 10.0.22631
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Visuals

No response

[iSazonov]

/cc @daxian-dbw

[rhubarb-geek-nz]

As far as I can tell ssh-add is not a PowerShell command and is a simple command line exe

PS> get-command ssh-add

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Application     ssh-add.exe                                        8.6.0.1    C:\WINDOWS\System32\OpenSSH\ssh-add.exe

How does PowerShell know your password if you did not previously enter it on the command line?

Was the password previously entered with a hidden entry method or in the clear?

For example if I do the same on Linux

~$ tail .bash_history
....
ssh-add foo bar
....

Bash on Linux will happily add anything entered on the command line in the history.

[melspectrum]

no Linux bash will never auto complete passphrase

As far as I can tell ssh-add is not a PowerShell command and is a simple command line exe

PS> get-command ssh-add

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Application     ssh-add.exe                                        8.6.0.1    C:\WINDOWS\System32\OpenSSH\ssh-add.exe

How does PowerShell know your password if you did not previously enter it on the command line?

Was the password previously entered with a hidden entry method or in the clear?

For example if I do the same on Linux

~$ tail .bash_history
....
ssh-add foo bar
....

Bash on Linux will happily add anything entered on the command line in the history.

[rhubarb-geek-nz]

no Linux bash will never auto complete passphrase

Did you previously enter the password in plain text on the command line or as part of a hidden data entry?

If you only entered the password as part of a hidden data entry, where bullets or asterisks replace the characters, then there is a problem.

If you had previously entered it in plain text on the command line and PowerShell is merely completing a previously entered command then there is not a problem.

PS> ssh-add foo bar
Error connecting to agent: No such file or directory
PS> get-history

  Id     Duration CommandLine
  --     -------- -----------
   1        0.025 ssh-add foo bar

[KalleOlaviNiemitalo]

AFAICT, ssh-add doesn't even support specifying a passphrase on the command line. And if ssh-add itself asks for the passphrase, then PowerShell won't know the passphrase.

But this makes me wonder if the autocompletion is being done by the terminal, rather than by PowerShell.

[rhubarb-geek-nz]

But this makes me wonder if the autocompletion is being done by the terminal, rather than by PowerShell.

Alternatively the OP mistakenly typed it on the command line and it ended up in the history.

[StevenBucher98]

I suggest implementing a history handler in your $PROFILE like the example here https://learn.microsoft.com/en-us/powershell/module/psreadline/set-psreadlineoption?view=powershell-7.4#example-7-use-historyhandler-to-filter-commands-added-to-history. You can filter to exclude anything with key in it.

@daxian-dbw perhaps we need to add key to the default blacklist of keywords to exclude in the PSRL history

Set-PSReadLineOption (PSReadLine) - PowerShell

The Set-PSReadLineOption cmdlet customizes the behavior of the PSReadLine module when you're editing the command line. To view the PSReadLine settings, use Get-PSReadLineOption. The options set by this command only apply to the current session. To persist any options, add them to a profile script. For more information, see about_Profiles and Customizing your shell environment.

[daxian-dbw]

@melspectrum It looks to me what you observed was the prediction from history. You ran ssh-add my-personal-private-key <my passphrase> before (maybe from a different PS session on the same machine), and the command line was saved to history file, then later on, when you type ssh-add my-personal-private-key, it tries to complete based on history.

perhaps we need to add key to the default blacklist of keywords to exclude in the PSRL history

key is too broad. The following built-in commands have parameters with key in the names, and almost all of them are not for a password phrase.

PS:24> gcm -ParameterName *key*

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Enter-PSSession                                    7.4.1.500  Microsoft.PowerShell.Core
Cmdlet          Get-PSReadLineKeyHandler                           2.3.4      PSReadLine
Cmdlet          Invoke-Command                                     7.4.1.500  Microsoft.PowerShell.Core
Cmdlet          New-PSSession                                      7.4.1.500  Microsoft.PowerShell.Core
Cmdlet          Remove-PSReadLineKeyHandler                        2.3.4      PSReadLine
Cmdlet          Set-PSReadLineKeyHandler                           2.3.4      PSReadLine
Cmdlet          Update-TypeData                                    7.0.0.0    Microsoft.PowerShell.Utility

In the instance of ssh-add my-personal-private-key [my passphrase] command line, "my-personal-private-key" is a user specified name for the private key to be added and it could be any string that can be used as a path, so if you want to filter out something, I guess you will have to filter out all ssh-add commands.

I don't think we should do that filtering in PSReadLine by default. You can follow the example that @StevenBucher98 pointed out above to filter out any command line that starts with ssh-add if you want. Alternatively, you can choose to disable the prediction behavior of PSReadLine by Set-PSReadLineOption -PredictionSource None.

[StevenBucher98]

I should also add that disabling the prediction source to none does not mean the history is not saved to the ConsoleHost_history.txt (get file location by runnung Get-PSReadLineOptions). Turning predictions off just means you will not see it in your interactive shell. If you want to ensure no keys from the ssh-add command to be saved to history file I would use the history handler example I shared earlier.

[microsoft-github-policy-service]

This issue has been marked as by-design and has not had any activity for 1 day. It has been closed for housekeeping purposes.

[microsoft-github-policy-service]

📣 Hey @melspectrum, how did we do? We would love to hear your feedback with the link below! 🗣️

🔗 https://aka.ms/PSRepoFeedback

Microsoft Forms