Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#4 (possible) passwd security

closed-fixed
None
7
2004-02-28
2004-02-13
Sean Middleditch
No

The user's password is copied from PAM to expect's
space to send to the ssh-add utility. Both PAM and
ssh-add are smart enough to wipe the memory the user's
password is stored in, but expect is not. This means
that the user's password may be left in memory (in
cleartext) potentially long after login, and thus
malicious programs can easily sniff out and find it.

I'm not sure how much of a real problem this is, but
every text I know of that covers passwords recommends
wiping clean any and all memory used to store the clear
text problem to avoid the risk of memory being scanned
by malicious code.

Discussion

    • priority: 5 --> 7
    • assigned_to: nobody --> mmikulicic
    • status: open --> open-postponed
     
  • Logged In: YES
    user_id=307585

    right.

    the problem is not only this.

    consider:

    <begin mytest.c>
    #include <stdio.h>

    int main()
    {
    FILE *f= popen("cat >pippo", "w");
    sleep(4);
    fprintf(f, "secret\n");
    }
    <end mytest.c>

    $ ./mytest & PID=$(ps xa|grep "[a].out" | cut -f 1 -d ' ');
    cat /proc/$PID/fd/4
    [1] 27599
    secret
    [1]+ Exit 7 ./mytest

    passing data through the pipe is not secure. process running
    with the user's uid (or root) could intercept the password.

    so the only real solution is to contact the agent directly
    and load it with the decrypted key...

     
    • status: open-postponed --> closed-fixed
     
  • Logged In: YES
    user_id=307585

    fixed with i/o redirection using unix domain sockets to
    prevent any possible interception of the password.

    no more depends on expect