echo "${SUDO_PASSWORD}" | ssh sudo -S command
Hi,
I'm just trying to work out how insecure this is? I want to write a script that will use SSH to call sudo on a remote machine. I have SSH keys set-up so that I do not need to enter a password to issue commands on my (non-root) account on the remote machine. The script uses 'read -s SUDO_PASSWORD' to get the sudo password - so it's not hard-coded anywhere or written to command history. So, my question is about how insecure is it to use this within the script: echo "${SUDO_PASSWORD}" | ssh ${REMOTE_MACHINE} "sudo -S sh -c id" NB: 'id' is only an example command - in the script this would be a variable. I presume that 'echo' is a built-in so it won't show up in 'ps' command output on the local machine. Everything happening on the remote machine is via SSH so I presume that is secure (in this case 'secure' means secure enough - it is always possible to argue things are not 100% secure in my experience). Finally the password is present in memory as $SUDO_PASSWORD on the local machine, but I presume that is reasonably secure from anyone unless they already have root access? Incidentally I did solve the problem another way - by using 'expect' to inject the password when prompted. This works fine, and is probably what I will use as it has slightly less of the security concerns mentioned above. It still has some though and I'm interested to know what the security issues are with the 'echo | ssh sudo' solution. Thanks in advance for any assistance with this. Rotty |
In this variant you give the password direct to sudo without an intermediate script and then call sudo a 2nd time (relying on the sudo cache - assumimg you use default settings) to execute your payload. That keeps the password out of a shell variable so I suggest this is a minor improvement.
Code:
echo "${SUDO_PASSWORD}" | ssh ${REMOTE_MACHINE} "sudo -S id && sudo command" |
Quote:
I'd recommend using a setuid wrapper that runs a shell script that does what you need. Here's how you do that: Code:
$ mkdir -m700 ~/foobar Code:
ssh "$remote" foobar/foobar Quote:
|
@mina86 - thanks for the reply.
Quote:
The setuid C program is not an option as part of the idea of this is to do remote admin, so any variety of commands could be entered. Also, the 'NOPASSWD' option in sudoers is not an option - I want to have the requirement to enter a password in case someone with sudo access leaves a terminal session unguarded. @linosaurusroot - I didn't really understand either, but I think I may have made my question too complicated. I extracted the command example from my script so that the question wasn't too long, but I should have tidied up more. The actual command I am using is this: Code:
echo "${SUDO_PASSWORD}" | ssh -o StrictHostKeyChecking=no ${1} "sudo -Sp '' sh -c '${2}'" Rotty |
Quote:
Of course Unix doesn't do a lot to help you if you are being attacked from the same UID. |
Quote:
Quote:
Quote:
Quote:
Quote:
However, why don't you just do something like: Code:
ssh $1 sudo sh -c "$2" |
Quote:
Quote:
http://etutorials.org/Programming/se...mory+Securely/ |
@mina86
You're right about other users seeing the args. But, as you said, using a built-in may mitigate this. I can't just use the simple command you suggest as the whole point of this exercise is to run a command against multiple servers. So, I will be on my local machine and run "myscript servera,serverb,serverc,etc mycommand" and it will prompt for a password once and then inject it into the remote command when necessary. @linosaurusroot I can't find much to suggest bash* isn't written securely. The fact that bash provides 'read -s' must mean that the authors were aware they were getting themselves into the realm of handling secure data. I guess the key question is - how would someone extract the password from the memory I'm using when I'm running the script (running as a non-root user, possibly the same user). * just to be clear - /bin/sh is a link to /bin/bash on all servers here. Rotty PS, just wanted to say thanks to you guys for contributing responses to this. You've prompted me to think more about how a shell handles memory and found this interesting http://security.stackexchange.com/qu...ility-in-linux. I think my current thinking is that my script is 'secure enough', but that users should be made aware that 'root' and their own user account could be used to steal their password. |
All times are GMT -5. The time now is 03:52 AM. |