← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #01444

[Bug 1344029] [NEW] Read only permission on /dev/tty exposes passwords and prevents ssh logins to other boxes

  Thread PreviousDate PreviousThread Next 
Public bug reported:

What Happened:

One day, ssh-add started echoing my password to the terminal. I then
tried to ssh and just kept getting "Host key verification failed."

Cause:

Eventually through the use of ssh -v -v -v I figured out that /dev/tty
wasn’t usable.  I ls -l /dev/tty and found it had permissions of
crw------- owned by root:root. I did chmod a+rw and everything started
to work.

What I expected:

I would expect SSH to fail before exposing my password. I would expect
SSH to print a message normally about being unable to ask for
confirmation to add a host key, not not just that the foreign key is
invalid.

% lsb_release -rd
Description:	Ubuntu 12.04.4 LTS
Release:	12.04

% ssh -v
OpenSSH_5.9p1 Debian-5ubuntu1.4, OpenSSL 1.0.1 14 Mar 2012

% apt-cache policy ssh    
ssh:
  Installed: (none)
  Candidate: 1:5.9p1-5ubuntu1.4
  Version table:
     1:5.9p1-5ubuntu1.4 0
        500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
     1:5.9p1-5ubuntu1.3 0
        500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
     1:5.9p1-5ubuntu1 0
        500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1344029

Title:
  Read only permission on /dev/tty exposes passwords and prevents ssh
  logins to other boxes

Status in “openssh” package in Ubuntu:
  New

Bug description:
  What Happened:

  One day, ssh-add started echoing my password to the terminal. I then
  tried to ssh and just kept getting "Host key verification failed."

  Cause:

  Eventually through the use of ssh -v -v -v I figured out that /dev/tty
  wasn’t usable.  I ls -l /dev/tty and found it had permissions of
  crw------- owned by root:root. I did chmod a+rw and everything started
  to work.

  What I expected:

  I would expect SSH to fail before exposing my password. I would expect
  SSH to print a message normally about being unable to ask for
  confirmation to add a host key, not not just that the foreign key is
  invalid.

  % lsb_release -rd
  Description:	Ubuntu 12.04.4 LTS
  Release:	12.04

  % ssh -v
  OpenSSH_5.9p1 Debian-5ubuntu1.4, OpenSSL 1.0.1 14 Mar 2012

  % apt-cache policy ssh    
  ssh:
    Installed: (none)
    Candidate: 1:5.9p1-5ubuntu1.4
    Version table:
       1:5.9p1-5ubuntu1.4 0
          500 http://archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
       1:5.9p1-5ubuntu1.3 0
          500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
       1:5.9p1-5ubuntu1 0
          500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1344029/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next