sudo password not masked when connecting with ssh

Bug #56755 reported by Simon on 2006-08-17
276
This bug affects 3 people
Affects Status Importance Assigned to Milestone
sudo (Debian)
Fix Released
Unknown
sudo (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: sudo

When using keys to connect via ssh to a server, and issuing the command 'ssh someuser@somehost sudo somecommand', the password prompt which appears to ask for the sudo password displays the password on the screen, rather than hiding it. This puts your password at risk of being compromised by anyone who happens to be looking over your shoulder.

(SOLUTION: use "-t" with ssh, see https://wiki.ubuntu.com/SecurityTeam/FAQ#SSH )

> When sudo is used in conjunction with an SSH command, the password
> entered into sudo is not hidden, but shown in plaintext on the terminal.

This is done by ssh, not sudo. You need to use ssh's -t option. In that
case, sudo can tell ssh to disable echoing of the input.

Eric

As documented in the reply from Eric Lammerts, this is not a bug in sudo per
se, and there's a solution involving the -t option to ssh.

Closing this bug with no further action taken.

Bdale

Simon (simon-rew) wrote :

Binary package hint: sudo

When using keys to connect via ssh to a server, and issuing the command 'ssh someuser@somehost sudo somecommand', the password prompt which appears to ask for the sudo password displays the password on the screen, rather than hiding it. This puts your password at risk of being compromised by anyone who happens to be looking over your shoulder.

Simon Law (sfllaw) wrote :

I don't think this is a bug in sudo.

This is because you're not giving sudo a terminal to ask the password
on. You need to use "ssh -t", which will provide it with a proper virtual
terminal.

Thanks.

Changed in sudo:
status: Unconfirmed → Rejected
Matt Zimmerman (mdz) wrote :

sudo shouldn't display a password prompt if its stdin isn't a terminal

Changed in sudo:
assignee: nobody → pitti
importance: Untriaged → Medium
status: Rejected → Confirmed
Martin Pitt (pitti) on 2006-09-25
Changed in sudo:
importance: Medium → High
status: Confirmed → In Progress
Kees Cook (kees) wrote :

I'd agree with Matt (sudo should fail when there is no terminal). However, upstream may disagree. There is an upstream bug that was rejected for this:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=233730

Martin Pitt (pitti) wrote :

I just tried to fix this with a relatively obvious approach. While this works fine for the ssh case, it completely breaks gksudo, which delivers the passphrase over stdin. To fix this properly, sudo needs something like gpg's --passphrase-from-fd.

I think I'll pass this to upstream for now.

Changed in sudo:
status: In Progress → Confirmed
Martin Pitt (pitti) wrote :

Removing milestone, it's too intrusive to fix this in sudo/gksudo/etc. now.

Changed in sudo:
importance: High → Medium
Kees Cook (kees) wrote :

What about having sudo issue a warning but otherwise not change behavior? For example:

$ ssh remotemachine sudo apt-get update
Warning: not on a terminal -- password will be echoed!
Password:
...

That way tools that are expecting to see "Password:" before continuing won't blow up, and humans will see the warning, and think twice.

Martin Pitt (pitti) on 2009-04-16
Changed in sudo (Ubuntu):
assignee: Martin Pitt (pitti) → nobody
status: Confirmed → Triaged
Kees Cook (kees) wrote :

This is in the FAQ now, as well: https://wiki.ubuntu.com/SecurityTeam/FAQ#SSH

Changed in sudo (Debian):
status: Unknown → Fix Released
L3ttuce (ifearx) wrote :

I just had this same problem happen to me in Karmic (ssh from Karmic to sudo on Jaunty machine). Not the case on a Jaunty machine (ssh from Jaunty to sudo on Karmic). Latter declines to run the command stating there is no askpass specified or no tty.

Kees Cook (kees) on 2010-04-03
Changed in sudo (Ubuntu):
status: Triaged → Won't Fix
description: updated
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.