login passwd not masked in remote command modus
Daniel Kahn Gillmor
dkg-openssh.com at fifthhorseman.net
Sat Nov 12 02:49:51 EST 2005
On November 11, tom at penumbra.be said:
> I've recently discovered a rather nasty bug. My login password is
> visible when I use the following command:
>
> arioch at server ~ $ ssh arioch at 192.168.0.1 sudo tail -f /var/log/messages; exit
> Password: ********** (user - masked)
> Password: my_not-so-secret-anymore_password (root - not masked)
This is because when you use ssh with an explicit command (in the
example above, your command is sudo), ssh doesn't bother allocating a
pseudo-tty for your session, which means that sudo's password-hiding
is not done, since it is not running within a terminal, as far as it
knows.
To force ssh to allocate a pseudo-tty, use -t, as in:
ssh -t arioch at 192.168.0.1 sudo tail -f /var/log/messages; exit
Use "man ssh" and search for pseudo-tty for more details.
Hope this helps,
--dkg
More information about the openssh-unix-dev
mailing list