[X-Unix] ssh sudo password in clear text

Eric F Crist ecrist at secure-computing.net
Sun Jun 10 13:45:11 PDT 2007 

On Jun 10, 2007, at 3:01 PMJun 10, 2007, Paul Hess wrote:
>
> On Jun 10, 2007, at 3:41 PM, Eric F Crist wrote:
>
>> On Jun 10, 2007, at 2:12 PMJun 10, 2007, Paul Hess wrote:
>>
>>> Hi all,
>>>
>>> I have a command in my bin directory as follows:
>>>
>>>    ssh someserver.com sudo mailstuff/sa-learn.sh
>>>
>>> When it executes the remote sudo command, it prompts me for a  
>>> password which, when I type it, appears on my screen in cleartext  
>>> rather than hidden.  I am using the standard OS/X terminal.
>>>
>>> Is there some way I can avoid having that password appear in  
>>> cleartext?
>>>
>>> TIA!
>>
>> Paul,
>>
>> If you're the owner of that box, I would recommend making that  
>> password non-required through your sudo configuration.  An couple  
>> entries such as follows would work nicely for you:
>>
>> username	ALL = NOPASSWD: /full/path/to/script/mailstuff/sa-learn.sh
>> username	ALL = (ALL) ALL
>>
>> (*There are ways to make this all on one line, but I write it this  
>> way for readability.  See man sudoers(5) for more examples)
>>
>> The first entry allows the command, and only that command, to be  
>> executed with sudo, without a password.  A great feature if you're  
>> automating anything that requires sudo access (some questionable  
>> web site packages require this (oreon, www.oreon-project.org, for  
>> one).
>>
>> The second command allows your user to execute all other commands  
>> via sudo, requiring a password.
>> The full path above is required for any security conscious  
>> administrator, otherwise, if I got access to username's account, I  
>> could create any arbitrary mailstuff directory with an sa-learn.sh  
>> script within and execute any command I wanted as root, without  
>> having to know your password.
>>
>> My recommendation would be to use /etc/crontab or AT to perform  
>> the above task, automatically, at your predetermined intervals.
>>
>> HTH.  If there's any questions you've got, let me know, I can  
>> possibly help you out.
>>
>> -----
>> Eric F Crist
>> Secure Computing Networks

> Hi Eric,
>
> I don't have exclusive access to that machine, but I suppose if I  
> make the sa-learn.sh script only editable by the super-user I  
> should be pretty safe. (otherwise someone could edit it to do  
> whatever they want with no pw required!).
>
> Instead of making no PW required, is there some way I can supply  
> the password within the command line on my calling machine?   I  
> have control over that one so I don't really mind embedding the  
> password into the script.
>
> Thanks for the tips!

Paul,

The NOPASSWD entry listed in my previous email will ONLY allow  
username to execute that command without a password, not just any  
user on the system, if that makes you feel better.  If, however, you  
still want to execute the command while supplying the password  
yourself, a command such as this should work:

echo "password" | ssh someserver.com sudo mailstuff/sa-learn.sh

HTH

-----
Eric F Crist
Secure Computing Networks

More information about the X-Unix mailing list