login passwd not masked in remote command modus

Tom tom at penumbra.be
Sat Nov 12 02:33:51 EST 2005


I've recently discovered a rather nasty bug. My login password is 
visible when I use the following command:

arioch at server ~ $ ssh arioch at sudo tail -f /var/log/messages; exit
Password: ********** (user - masked)
Password: my_not-so-secret-anymore_password (root - not masked)

-tail output-

This has been tested with openssh on OpenBSD, FreeBSD and Gentoo/Linux, 
all with up-to-date versions of both OpenSSH and Sudo and the output is 
equally the same.

Hoping to be of any service,

Tom D.V.

tom at penumbra.be
arioch at penumbra.be

More information about the openssh-unix-dev mailing list