[Bug 1344029] [NEW] Read only permission on /dev/tty exposes passwords and prevents ssh logins to other boxes

jimktrains jimktrains at gmail.com
Fri Jul 18 13:01:02 UTC 2014


Public bug reported:

What Happened:

One day, ssh-add started echoing my password to the terminal. I then
tried to ssh and just kept getting "Host key verification failed."

Cause:

Eventually through the use of ssh -v -v -v I figured out that /dev/tty
wasn’t usable.  I ls -l /dev/tty and found it had permissions of
crw------- owned by root:root. I did chmod a+rw and everything started
to work.

What I expected:

I would expect SSH to fail before exposing my password. I would expect
SSH to print a message normally about being unable to ask for
confirmation to add a host key, not not just that the foreign key is
invalid.

% lsb_release -rd
Description:	Ubuntu 12.04.4 LTS
Release:	12.04

% ssh -v
OpenSSH_5.9p1 Debian-5ubuntu1.4, OpenSSL 1.0.1 14 Mar 2012

% apt-cache policy ssh    
ssh:
  Installed: (none)
  Candidate: 1:5.9p1-5ubuntu1.4
  Version table:
     1:5.9p1-5ubuntu1.4 0
        500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
     1:5.9p1-5ubuntu1.3 0
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
     1:5.9p1-5ubuntu1 0
        500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1344029

Title:
  Read only permission on /dev/tty exposes passwords and prevents ssh
  logins to other boxes

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1344029/+subscriptions



More information about the Ubuntu-server-bugs mailing list