[X-Unix] ssh sudo password in clear text

Eric F Crist ecrist at secure-computing.net
Sun Jun 10 12:41:38 PDT 2007


On Jun 10, 2007, at 2:12 PMJun 10, 2007, Paul Hess wrote:

> Hi all,
>
> I have a command in my bin directory as follows:
>
>    ssh someserver.com sudo mailstuff/sa-learn.sh
>
> When it executes the remote sudo command, it prompts me for a  
> password which, when I type it, appears on my screen in cleartext  
> rather than hidden.  I am using the standard OS/X terminal.
>
> Is there some way I can avoid having that password appear in  
> cleartext?
>
> TIA!

Paul,

If you're the owner of that box, I would recommend making that  
password non-required through your sudo configuration.  An couple  
entries such as follows would work nicely for you:

username	ALL = NOPASSWD: /full/path/to/script/mailstuff/sa-learn.sh
username	ALL = (ALL) ALL

(*There are ways to make this all on one line, but I write it this  
way for readability.  See man sudoers(5) for more examples)

The first entry allows the command, and only that command, to be  
executed with sudo, without a password.  A great feature if you're  
automating anything that requires sudo access (some questionable web  
site packages require this (oreon, www.oreon-project.org, for one).

The second command allows your user to execute all other commands via  
sudo, requiring a password.
The full path above is required for any security conscious  
administrator, otherwise, if I got access to username's account, I  
could create any arbitrary mailstuff directory with an sa-learn.sh  
script within and execute any command I wanted as root, without  
having to know your password.

My recommendation would be to use /etc/crontab or AT to perform the  
above task, automatically, at your predetermined intervals.

HTH.  If there's any questions you've got, let me know, I can  
possibly help you out.

-----
Eric F Crist
Secure Computing Networks




More information about the X-Unix mailing list