login passwd not masked in remote command modus

Daniel Kahn Gillmor dkg-openssh.com at fifthhorseman.net
Sat Nov 12 02:49:51 EST 2005


On November 11, tom at penumbra.be said:

 > I've recently discovered a rather nasty bug. My login password is 
 > visible when I use the following command:
 > 
 > arioch at server ~ $ ssh arioch at 192.168.0.1 sudo tail -f /var/log/messages; exit
 > Password: ********** (user - masked)
 > Password: my_not-so-secret-anymore_password (root - not masked)

This is because when you use ssh with an explicit command (in the
example above, your command is sudo), ssh doesn't bother allocating a
pseudo-tty for your session, which means that sudo's password-hiding
is not done, since it is not running within a terminal, as far as it
knows.

To force ssh to allocate a pseudo-tty, use -t, as in:

  ssh -t arioch at 192.168.0.1 sudo tail -f /var/log/messages; exit

Use "man ssh" and search for pseudo-tty for more details.

Hope this helps,

	--dkg




More information about the openssh-unix-dev mailing list