login passwd not masked in remote command modus

Tom tom at penumbra.be
Sat Nov 12 02:33:51 EST 2005


Hi,

I've recently discovered a rather nasty bug. My login password is 
visible when I use the following command:

arioch at server ~ $ ssh arioch at 192.168.0.1 sudo tail -f /var/log/messages; exit
Password: ********** (user - masked)
Password: my_not-so-secret-anymore_password (root - not masked)

-tail output-

This has been tested with openssh on OpenBSD, FreeBSD and Gentoo/Linux, 
all with up-to-date versions of both OpenSSH and Sudo and the output is 
equally the same.

Hoping to be of any service,

Tom D.V.

--
tom at penumbra.be
arioch at penumbra.be




More information about the openssh-unix-dev mailing list