#25 don't export SSHPASS to the invoked process (ssh)

[Cálestyo]

Hey.

It seems as if sshpass would export the SSHPASS envvar to the invoked process (i.e. ssh), which in turn might (via SendEnv) forward it to the remote host.

The contents of the env var seems to be overwritten though (each char replaced by and 'x'), which - I guess - you mainly do for the -p case though, to not leak it (so long) via the process' arguments.

Couldn't you simply remove SSHPASS from new_argv ?

Thanks,
Chris.

[Cálestyo]

I should perhaps add that there are two aspects to this issue.
1) Non-security-related ... in the sense that sshpass shouldn't "spoil" the remote environment with env vars that are not really intentionally sent to the remote end.

The user might have his own SSHPASS env var, which he sometimes sends... and which is not the one from sshpass. (This is also why I've asked for the ability to change the var for -e).

2) Security-related... i.e. the length of the passphrase is disclosed. Not so critical probably, because most likely the remote side know the passphrase anyway.
From the remote side it could be accidentally further leaked... e.g. by ssh'ing from there to other nodes, and SSHPASS (with the xxx) being passed on.

The same length-leak also happens with the -p option, btw. e.g.:
68079 pts/16 S+ 0:00 sshpass -p xxxxxx -P aff ssh example.org

which allows other local users to see the password length and may make it much easier for them to brute force it.

So it would be nice if it were possible to truncate that... perhaps still overwriting it first, in case there are OSes where the truncation wouldn't work.

Cheers,
Chris.

[Shachar Shemesh]

Fixed in trunk