When sudo is used in conjunction with an SSH command, the password
entered into sudo is not hidden, but shown in plaintext on the terminal.
For example,
ssh remote.foo.org sudo apt-get update
will result in the following output:
<email address hidden>'s password:
which is the SSH login prompt. After the correct password has been
entered, sudo prompts for the user's password:
Password:
As the password is entered, the characters appear in plaintext after the
prompt:
Password:password
This is obviously a bit of a security flaw, making it easy for someone
to shoulder surf you.
Versions of packages sudo depends on:
ii libc6 2.3.2.ds1-11 GNU C Library: Shared libraries an
ii libpam-modules 0.76-15 Pluggable Authentication Modules f
ii libpam0g 0.76-15 Pluggable Authentication Modules l
Package: sudo
Version: 1.6.7p5-1
Severity: normal
When sudo is used in conjunction with an SSH command, the password
entered into sudo is not hidden, but shown in plaintext on the terminal.
For example,
ssh remote.foo.org sudo apt-get update
will result in the following output:
<email address hidden>'s password:
which is the SSH login prompt. After the correct password has been
entered, sudo prompts for the user's password:
Password:
As the password is entered, the characters appear in plaintext after the
prompt:
Password:password
This is obviously a bit of a security flaw, making it easy for someone
to shoulder surf you.
Cheers,
Tony
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.24
Locale: LANG=C, LC_CTYPE=C
Versions of packages sudo depends on:
ii libc6 2.3.2.ds1-11 GNU C Library: Shared libraries an
ii libpam-modules 0.76-15 Pluggable Authentication Modules f
ii libpam0g 0.76-15 Pluggable Authentication Modules l
-- no debconf information