[X-Unix] ssh sudo password in clear text

Paul Hess hess at yacht.com
Sun Jun 10 13:01:20 PDT 2007 

Hi Eric,

I don't have exclusive access to that machine, but I suppose if I  
make the sa-learn.sh script only editable by the super-user I should  
be pretty safe. (otherwise someone could edit it to do whatever they  
want with no pw required!).

Instead of making no PW required, is there some way I can supply the  
password within the command line on my calling machine?   I have  
control over that one so I don't really mind embedding the password  
into the script.

Thanks for the tips!

                          - Paul

On Jun 10, 2007, at 3:41 PM, Eric F Crist wrote:

> On Jun 10, 2007, at 2:12 PMJun 10, 2007, Paul Hess wrote:
>
>> Hi all,
>>
>> I have a command in my bin directory as follows:
>>
>>    ssh someserver.com sudo mailstuff/sa-learn.sh
>>
>> When it executes the remote sudo command, it prompts me for a  
>> password which, when I type it, appears on my screen in cleartext  
>> rather than hidden.  I am using the standard OS/X terminal.
>>
>> Is there some way I can avoid having that password appear in  
>> cleartext?
>>
>> TIA!
>
> Paul,
>
> If you're the owner of that box, I would recommend making that  
> password non-required through your sudo configuration.  An couple  
> entries such as follows would work nicely for you:
>
> username	ALL = NOPASSWD: /full/path/to/script/mailstuff/sa-learn.sh
> username	ALL = (ALL) ALL
>
> (*There are ways to make this all on one line, but I write it this  
> way for readability.  See man sudoers(5) for more examples)
>
> The first entry allows the command, and only that command, to be  
> executed with sudo, without a password.  A great feature if you're  
> automating anything that requires sudo access (some questionable  
> web site packages require this (oreon, www.oreon-project.org, for  
> one).
>
> The second command allows your user to execute all other commands  
> via sudo, requiring a password.
> The full path above is required for any security conscious  
> administrator, otherwise, if I got access to username's account, I  
> could create any arbitrary mailstuff directory with an sa-learn.sh  
> script within and execute any command I wanted as root, without  
> having to know your password.
>
> My recommendation would be to use /etc/crontab or AT to perform the  
> above task, automatically, at your predetermined intervals.
>
> HTH.  If there's any questions you've got, let me know, I can  
> possibly help you out.
>
> -----
> Eric F Crist
> Secure Computing Networks
>
>
> _______________________________________________
> X-Unix mailing list
> X-Unix at listserver.themacintoshguy.com
> http://listserver.themacintoshguy.com/mailman/listinfo/x-unix
>
> Listmom is trying to clean out his closets! Vintage Mac and random  
> stuff:
>         http://search.ebay.com/_W0QQsassZmacguy1984

More information about the X-Unix mailing list