openssh unix dev - Nov 2005 - login passwd not masked in remote command modus

Hi,

I've recently discovered a rather nasty bug. My login password is 
visible when I use the following command:

arioch at server ~ $ ssh arioch at 192.168.0.1 sudo tail -f /var/log/messages;
exit
Password: ********** (user - masked)
Password: my_not-so-secret-anymore_password (root - not masked)

-tail output-

This has been tested with openssh on OpenBSD, FreeBSD and Gentoo/Linux, 
all with up-to-date versions of both OpenSSH and Sudo and the output is 
equally the same.

Hoping to be of any service,

Tom D.V.

--
tom at penumbra.be
arioch at penumbra.be

On November 11, tom at penumbra.be said:

 > I've recently discovered a rather nasty bug. My login password is 
 > visible when I use the following command:
 > 
 > arioch at server ~ $ ssh arioch at 192.168.0.1 sudo tail -f
/var/log/messages; exit
 > Password: ********** (user - masked)
 > Password: my_not-so-secret-anymore_password (root - not masked)

This is because when you use ssh with an explicit command (in the
example above, your command is sudo), ssh doesn't bother allocating a
pseudo-tty for your session, which means that sudo's password-hiding
is not done, since it is not running within a terminal, as far as it
knows.

To force ssh to allocate a pseudo-tty, use -t, as in:

  ssh -t arioch at 192.168.0.1 sudo tail -f /var/log/messages; exit

Use "man ssh" and search for pseudo-tty for more details.

Hope this helps,

	--dkg