Bug#337484: openssh-client: ssh-add displays password with bad permissions on /dev/tty
Package: openssh-client
Version: 1:4.2p1-5
Severity: important
When /dev/tty is not read/write by all users, ssh-add will display the
password when typed by the user. ssh on the other hand will call the
askpass application (which is far better behaviour).
The bug can be reproduced by running the shell script:
#!/bin/csh -f
sudo chmod 660 /dev/tty
ssh-add
The only reason I found this was that an upgrade to udev messed up my
permissions on /dev. I found it quite disconcerting to actually see
my password displayed in plain text.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (600, 'unstable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-amd64-k8-smp
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages openssh-client depends on:
ii adduser 3.67.2 Add and remove users and groups
ii debconf [debconf-2. 1.4.58 Debian configuration management sy
ii dpkg 1.13.11 package maintenance system for Deb
ii libc6 2.3.5-6 GNU C Library: Shared libraries an
ii libcomerr2 1.38-2 common error description library
ii libedit2 2.9.cvs.20050518-2.2 BSD editline and history libraries
ii libkrb53 1.3.6-5 MIT Kerberos runtime libraries
ii libncurses5 5.4-9 Shared libraries for terminal hand
ii libselinux1 1.26-1 SELinux shared libraries
ii libssl0.9.8 0.9.8a-2 SSL shared libraries
ii zlib1g 1:1.2.3-4 compression library - runtime
openssh-client recommends no packages.
-- no debconf information
Reply to: