FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 07-10-2008, 11:04 AM
"Javier Barroso"
 
Default sudo password visible through ssh command line

Hi,

In sid with key passwordless auth :

ssh user@server "sudo ls"
password: password

And password is shown you

Any tip to avoid this ?

Where should be reported this bug if it could be consider as such (note I don't know if there are more programs with this problem)?


Greetings

Debian Rocks!
 
Old 07-10-2008, 03:57 PM
Raj Kiran Grandhi
 
Default sudo password visible through ssh command line

Javier Barroso wrote:

Hi,

In sid with key passwordless auth :

ssh user@server "sudo ls"
password: password

And password is shown you

Any tip to avoid this ?

Where should be reported this bug if it could be consider as such (note
I don't know if there are more programs with this problem)?


This is not a bug. The password is shown because no tty is allocated to
the command. If you want a tty to be allocated, pass the -t option to
ssh, as in "ssh -t user@server sudo ls"




Greetings

Debian Rocks!




--

If you can't explain it simply, you don't understand it well enough.
-- Albert Einstein


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-10-2008, 05:05 PM
Dave Sherohman
 
Default sudo password visible through ssh command line

On Thu, Jul 10, 2008 at 01:04:31PM +0200, Javier Barroso wrote:
> In sid with key passwordless auth :
>
> ssh user@server "sudo ls"
> password: password
>
> And password is shown you
>
> Any tip to avoid this ?

Do it as two separate commands?

ssh user@server
sudo ls
password: <should not appear>
exit

> Where should be reported this bug if it could be consider as such (note I
> don't know if there are more programs with this problem)?

I would agree that this is a bug, but I'm not sure that it would be at
all straightforward to fix.

--
News aggregation meets world domination. Can you see the fnews?
http://seethefnews.com/


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-10-2008, 05:23 PM
Andrew Sackville-West
 
Default sudo password visible through ssh command line

On Thu, Jul 10, 2008 at 01:04:31PM +0200, Javier Barroso wrote:
> Hi,
>
> In sid with key passwordless auth :
>
> ssh user@server "sudo ls"
> password: password
>
> And password is shown you

just confirming I see this behavior as well.

>
> Any tip to avoid this ?

don't issue sudo commands in an ssh command like that. Separate them
into two steps.

>
> Where should be reported this bug if it could be consider as such (note I
> don't know if there are more programs with this problem)?

I definitely consider that a bug. Who to file against? I don't know.

I don't use ssh this way, so...

Is this new behavior? If so can you pinpoint when it started and
determine from your aptitude logs which package may be involved?

I can't come up with another program that will prompt for a password
over ssh like that. Su doesn't work at all.

There is this bug
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=337484 which seems
like it *might* be related.

If you can't come up with anything more definitive, I would recommend
filing against openssh-client as a starting point. They can likely
pinpoint where the problem is and forward appropriately.

A
 
Old 07-10-2008, 10:11 PM
Alex Samad
 
Default sudo password visible through ssh command line

On Thu, Jul 10, 2008 at 01:04:31PM +0200, Javier Barroso wrote:
> Hi,
>
> In sid with key passwordless auth :
>
> ssh user@server "sudo ls"
> password: password
>
> And password is shown you
>
> Any tip to avoid this ?
>
> Where should be reported this bug if it could be consider as such (note I
> don't know if there are more programs with this problem)?

other have answered was to get around this. How about ssh straight to
root@ the box (turn sshd to allow root login by sign only and set a
script to allow only certain commands to be run. have a look at
authorized file)

>
> Greetings
>
> Debian Rocks!

--
"I don't have to accept their tenants. I was trying to convince those college students to accept my tenants. And I reject any labeling me because I happened to go to the university."

- George W. Bush
02/23/2000
Today
 
Old 07-11-2008, 02:26 PM
Chris Davies
 
Default sudo password visible through ssh command line

Andrew Sackville-West <andrew@farwestbilliards.com> wrote:
> On Thu, Jul 10, 2008 at 01:04:31PM +0200, Javier Barroso wrote:
>> In sid with key passwordless auth :
>>
>> ssh user@server "sudo ls"
>> password: password
>>
>> And password is shown you

> I definitely consider that a bug. Who to file against? I don't know.
> Is this new behavior?

It's not a bug (well, not in the classic sense), and it's not new
behaviour.


> Su doesn't work at all.

su complains "su: must be run from a terminal", and this helps point
towards the underlying issue. When you run ssh with a command argument,
it does not (by default) create a terminal. This means there's no way
to disable echo, so sudo ends up prompting with a visible password.

The solution is to force ssh to allocate a pseudo-tty, with the -t flag:

ssh -t user@server sudo ls

Chris


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-12-2008, 02:58 PM
"Javier Barroso"
 
Default sudo password visible through ssh command line

On Thu, Jul 10, 2008 at 5:57 PM, Raj Kiran Grandhi <grajkiran@gmail.com> wrote:

Javier Barroso wrote:


Hi,



In sid with key passwordless auth :



ssh user@server "sudo ls"

password: password



And password is shown you



Any tip to avoid this ?



Where should be reported this bug if it could be consider as such (note I don't know if there are more programs with this problem)?




This is not a bug. The password is shown because no tty is allocated to the command. If you want a tty to be allocated, pass the -t option to ssh, as in "ssh -t user@server sudo ls"
Ok,

Thanks all people who reply the question
 
Old 07-14-2008, 02:12 AM
"David Fox"
 
Default sudo password visible through ssh command line

On Thu, Jul 10, 2008 at 3:11 PM, Alex Samad <alex@samad.com.au> wrote:
> other have answered was to get around this. How about ssh straight to
> root@ the box (turn sshd to allow root login by sign only and set a

I don't think this is such a good idea, because direct outside root
logins should be disabled anyway. Think of it like this - if the user
knows he can get root without having to know the password of an
unprivileged user, it's that much easier for him to get in. Rather,
disallow those logins and make outside users use sudo, and make even
that practice suspect (of course there are reasons to let outsiders -
in the sense they don't have physical access to the system in to do
root things).

Of course, passphrases are the thing to setup - especially on direct
root logins as it makes the chance of J. Random Hacker (think of all
the script kiddies from overseas banging into your box at night)
getting through and doing potential harmful things.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 07-14-2008, 02:51 AM
Alex Samad
 
Default sudo password visible through ssh command line

On Sun, Jul 13, 2008 at 07:12:36PM -0700, David Fox wrote:
> On Thu, Jul 10, 2008 at 3:11 PM, Alex Samad <alex@samad.com.au> wrote:
> > other have answered was to get around this. How about ssh straight to
> > root@ the box (turn sshd to allow root login by sign only and set a
>
> I don't think this is such a good idea, because direct outside root
> logins should be disabled anyway. Think of it like this - if the user
> knows he can get root without having to know the password of an
> unprivileged user, it's that much easier for him to get in. Rather,
> disallow those logins and make outside users use sudo, and make even
> that practice suspect (of course there are reasons to let outsiders -
> in the sense they don't have physical access to the system in to do
> root things).
I have to agree and disagree. yes it would be best to not give outside
people access to root. But if it is limited to rsa key only login, that
make it nearly impossible (depending on the practicality of the effort).
With normal userids you have all the same problems password etc, the
only benefit is they have to guess the name.

If as I said in my original post you limit the commands that can be done
over ssh to root, this makes it more secure, especially if you are
limiting to a very small set of command and options and specifically to
just to daily/weekly things automated.

For day to day adhoc tasks yes a userid and sudo should be the way to
go.


>
> Of course, passphrases are the thing to setup - especially on direct
> root logins as it makes the chance of J. Random Hacker (think of all
> the script kiddies from overseas banging into your box at night)
> getting through and doing potential harmful things.
yeah I have kept a record on my firewall for the last 4-5 years, it
accepts ssh, but only rsa keys (in fact only one, add to that some
iptables -m limit rules to slow them down)

The thing you missed thought is the authorized_keys file, one of the
options is
command="command"
Specifies that the command is executed whenever this key is
used for authentication. The command supplied by the user (if
any) is ignored. The command is run on a pty if the client
requests a pty; otherwise it is run without a tty. If an
8-bit clean channel is required, one must not request a pty
or should specify no-pty. A quote may be included in the comā??
mand by quoting it with a backslash. This option might be
useful to restrict certain public keys to perform just a speā??
cific operation. An example might be a key that permits
remote backups but nothing else. Note that the client may specā??
ify TCP and/or X11 forwarding unless they are explicitly
prohibited. The command originally supplied by the client is
available in the SSH_ORIGINAL_COMMAND environment variable.
Note that this option applies to shell, command or subsystem
execution.


you write a script to filter what commands can be run, filtering out ;
& eval and what ever you want.



>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

--
"We're concerned about AIDS inside our White House -- make no mistake about it."

- George W. Bush
02/07/2001
 
Old 07-14-2008, 07:02 PM
Andrew Sackville-West
 
Default sudo password visible through ssh command line

On Fri, Jul 11, 2008 at 03:26:58PM +0100, Chris Davies wrote:
> Andrew Sackville-West <andrew@farwestbilliards.com> wrote:
> > On Thu, Jul 10, 2008 at 01:04:31PM +0200, Javier Barroso wrote:
> >> In sid with key passwordless auth :
> >>
> >> ssh user@server "sudo ls"
> >> password: password
> >>
> >> And password is shown you
>
> > I definitely consider that a bug. Who to file against? I don't know.
> > Is this new behavior?
>
> It's not a bug (well, not in the classic sense), and it's not new
> behaviour.
>
>
> > Su doesn't work at all.
>
> su complains "su: must be run from a terminal", and this helps point
> towards the underlying issue. When you run ssh with a command argument,
> it does not (by default) create a terminal. This means there's no way
> to disable echo, so sudo ends up prompting with a visible password.
>
> The solution is to force ssh to allocate a pseudo-tty, with the -t flag:
>
> ssh -t user@server sudo ls

thanks for the lesson.

A
 

Thread Tools




All times are GMT. The time now is 07:32 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org