Public bug reported:
run sshpass as following
SSHPASS="password" /usr/bin/sshpass -e ssh -o StrictHostKeyChecking=no
-o UserKnownHostsFile=/dev/null user@localhost
user@Ubuntu14-VM:/proc/49571$ cat environ
SSHPASS=password ...
password is leaked here.
Recommendation:
SSHPASS should be cleared after use.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: sshpass 1.05-1
ProcVersionSignature: Ubuntu 3.13.0-39.66-generic 3.13.11.8
Uname: Linux 3.13.0-39-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.5
Architecture: amd64
Date: Mon Dec 12 13:44:35 2016
Dependencies:
gcc-4.9-base 4.9.1-0ubuntu1
libc6 2.19-0ubuntu6.3
libgcc1 1:4.9.1-0ubuntu1
multiarch-support 2.19-0ubuntu6.3
InstallationDate: Installed on 2014-04-22 (965 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
ProcEnviron:
TERM=xterm
PATH=(custom, no username)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: sshpass
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: sshpass (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug trusty
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1649374
Title:
password passed through -e by environment is leaked in /proc
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sshpass/+bug/1649374/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
