Read only permission on /dev/tty exposes passwords and prevents ssh logins to other boxes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
What Happened:
One day, ssh-add started echoing my password to the terminal. I then tried to ssh and just kept getting "Host key verification failed."
Cause:
Eventually through the use of ssh -v -v -v I figured out that /dev/tty wasn’t usable. I ls -l /dev/tty and found it had permissions of crw------- owned by root:root. I did chmod a+rw and everything started to work.
What I expected:
I would expect SSH to fail before exposing my password. I would expect SSH to print a message normally about being unable to ask for confirmation to add a host key, not not just that the foreign key is invalid.
% lsb_release -rd
Description: Ubuntu 12.04.4 LTS
Release: 12.04
% ssh -v
OpenSSH_5.9p1 Debian-5ubuntu1.4, OpenSSL 1.0.1 14 Mar 2012
% apt-cache policy ssh
ssh:
Installed: (none)
Candidate: 1:5.9p1-5ubuntu1.4
Version table:
1:
500 http://
1:
500 http://
1:
500 http://