[X-Unix] ssh sudo password in clear text

Paul Hess hess at yacht.com
Wed Jun 20 02:01:11 PDT 2007


Sorry for the delay in replying, but this works like a charm.  Thanks!!!

On Jun 10, 2007, at 4:45 PM, Eric F Crist wrote:

> On Jun 10, 2007, at 3:01 PMJun 10, 2007, Paul Hess wrote:
>>
>> On Jun 10, 2007, at 3:41 PM, Eric F Crist wrote:
>>
>>> On Jun 10, 2007, at 2:12 PMJun 10, 2007, Paul Hess wrote:
>>>
>>>> Hi all,
>>>>
>>>> I have a command in my bin directory as follows:
>>>>
>>>>    ssh someserver.com sudo mailstuff/sa-learn.sh
>>>>
>>>> When it executes the remote sudo command, it prompts me for a  
>>>> password which, when I type it, appears on my screen in  
>>>> cleartext rather than hidden.  I am using the standard OS/X  
>>>> terminal.
>>>>
>>>> Is there some way I can avoid having that password appear in  
>>>> cleartext?
>>>>
>>>> TIA!
>>>
>>> Paul,
>>>
>>> If you're the owner of that box, I would recommend making that  
>>> password non-required through your sudo configuration.  An couple  
>>> entries such as follows would work nicely for you:
>>>
>>> username	ALL = NOPASSWD: /full/path/to/script/mailstuff/sa-learn.sh
>>> username	ALL = (ALL) ALL
>>>
>>> (*There are ways to make this all on one line, but I write it  
>>> this way for readability.  See man sudoers(5) for more examples)
>>>
>>> The first entry allows the command, and only that command, to be  
>>> executed with sudo, without a password.  A great feature if  
>>> you're automating anything that requires sudo access (some  
>>> questionable web site packages require this (oreon, www.oreon- 
>>> project.org, for one).
>>>
>>> The second command allows your user to execute all other commands  
>>> via sudo, requiring a password.
>>> The full path above is required for any security conscious  
>>> administrator, otherwise, if I got access to username's account,  
>>> I could create any arbitrary mailstuff directory with an sa- 
>>> learn.sh script within and execute any command I wanted as root,  
>>> without having to know your password.
>>>
>>> My recommendation would be to use /etc/crontab or AT to perform  
>>> the above task, automatically, at your predetermined intervals.
>>>
>>> HTH.  If there's any questions you've got, let me know, I can  
>>> possibly help you out.
>>>
>>> -----
>>> Eric F Crist
>>> Secure Computing Networks
>
>> Hi Eric,
>>
>> I don't have exclusive access to that machine, but I suppose if I  
>> make the sa-learn.sh script only editable by the super-user I  
>> should be pretty safe. (otherwise someone could edit it to do  
>> whatever they want with no pw required!).
>>
>> Instead of making no PW required, is there some way I can supply  
>> the password within the command line on my calling machine?   I  
>> have control over that one so I don't really mind embedding the  
>> password into the script.
>>
>> Thanks for the tips!
>
> Paul,
>
> The NOPASSWD entry listed in my previous email will ONLY allow  
> username to execute that command without a password, not just any  
> user on the system, if that makes you feel better.  If, however,  
> you still want to execute the command while supplying the password  
> yourself, a command such as this should work:
>
> echo "password" | ssh someserver.com sudo mailstuff/sa-learn.sh
>
> HTH
>
> -----
> Eric F Crist
> Secure Computing Networks
>
>
> _______________________________________________
> X-Unix mailing list
> X-Unix at listserver.themacintoshguy.com
> http://listserver.themacintoshguy.com/mailman/listinfo/x-unix
>
> Listmom is trying to clean out his closets! Vintage Mac and random  
> stuff:
>         http://search.ebay.com/_W0QQsassZmacguy1984



More information about the X-Unix mailing list