[Bug 1344029] [NEW] Read only permission on /dev/tty exposes passwords and prevents ssh logins to other boxes
jimktrains
jimktrains at gmail.com
Fri Jul 18 13:01:02 UTC 2014
Public bug reported:
What Happened:
One day, ssh-add started echoing my password to the terminal. I then
tried to ssh and just kept getting "Host key verification failed."
Cause:
Eventually through the use of ssh -v -v -v I figured out that /dev/tty
wasn’t usable. I ls -l /dev/tty and found it had permissions of
crw------- owned by root:root. I did chmod a+rw and everything started
to work.
What I expected:
I would expect SSH to fail before exposing my password. I would expect
SSH to print a message normally about being unable to ask for
confirmation to add a host key, not not just that the foreign key is
invalid.
% lsb_release -rd
Description: Ubuntu 12.04.4 LTS
Release: 12.04
% ssh -v
OpenSSH_5.9p1 Debian-5ubuntu1.4, OpenSSL 1.0.1 14 Mar 2012
% apt-cache policy ssh
ssh:
Installed: (none)
Candidate: 1:5.9p1-5ubuntu1.4
Version table:
1:5.9p1-5ubuntu1.4 0
500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
1:5.9p1-5ubuntu1.3 0
500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
1:5.9p1-5ubuntu1 0
500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1344029
Title:
Read only permission on /dev/tty exposes passwords and prevents ssh
logins to other boxes
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1344029/+subscriptions
More information about the Ubuntu-server-bugs
mailing list