#4 (possible) passwd security


The user's password is copied from PAM to expect's
space to send to the ssh-add utility. Both PAM and
ssh-add are smart enough to wipe the memory the user's
password is stored in, but expect is not. This means
that the user's password may be left in memory (in
cleartext) potentially long after login, and thus
malicious programs can easily sniff out and find it.

I'm not sure how much of a real problem this is, but
every text I know of that covers passwords recommends
wiping clean any and all memory used to store the clear
text problem to avoid the risk of memory being scanned
by malicious code.


  • Marko Mikulicic

    Marko Mikulicic - 2004-02-28
    • priority: 5 --> 7
    • assigned_to: nobody --> mmikulicic
    • status: open --> open-postponed
  • Marko Mikulicic

    Marko Mikulicic - 2004-02-28

    Logged In: YES


    the problem is not only this.


    <begin mytest.c>
    #include <stdio.h>

    int main()
    FILE *f= popen("cat >pippo", "w");
    fprintf(f, "secret\n");
    <end mytest.c>

    $ ./mytest & PID=$(ps xa|grep "[a].out" | cut -f 1 -d ' ');
    cat /proc/$PID/fd/4
    [1] 27599
    [1]+ Exit 7 ./mytest

    passing data through the pipe is not secure. process running
    with the user's uid (or root) could intercept the password.

    so the only real solution is to contact the agent directly
    and load it with the decrypted key...

  • Marko Mikulicic

    Marko Mikulicic - 2004-02-28
    • status: open-postponed --> closed-fixed
  • Marko Mikulicic

    Marko Mikulicic - 2004-02-28

    Logged In: YES

    fixed with i/o redirection using unix domain sockets to
    prevent any possible interception of the password.

    no more depends on expect


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks