Security Issue: Private key passphrase exposed with Open In Terminal

[gvmox]

I'm using public key authentication, which works fine for the initial logon--but it gets exposed using the built-in Terminal feature:

Choosing "Open In Terminal" in the "Listing" menu takes quite a while to open (maybe 30 seconds) and when it finally does, you see why--it pastes the plain text of your SSH private key's passphrase into the terminal and then apparently times out before going to the next command to ch to the correct directory! Not good!

[JD]

This sounds like a bug for slower connections... for me it's working perfectly fine!

I do apologise for the scare - I'll get it fixed for the next release.

[JD]

Can I clarify with you - is your initial connection taking up to 30 seconds also, or just Open In Terminal?

If the latter, was Terminal already running or not?

Thanks,
Jason

[gvmox]

Thanks for your responses. The initial connection takes about 4 seconds to connect and just over another second to list the directories. I've tried it with Terminal running and when it's not and don't see a difference. The issue isn't that it's slow; the issue is it was mistakingly passing my private ssh key's passphrase (treating it as though it was the password) and then it would time out and only then proceed. Strange.

[JD]

I see! I did indeed misunderstand you.

I'll go test for this specific scenario and get back to you ASAP.

Thanks for following up!

[JD]

Fixed in the next beta

Thanks for bringing this to my attention!

[gvmox]

Thanks for your impressive responsiveness! Looking forward to downloading the next version.