I am using bash script below to test whether sudo
is available on a remote host.
I'm obtaining the password from user input. I understand (to a limited extent) that using passwords inside a script will involve security trade-offs, so I have a question about a particular aspect of this.
Please see script below, which uses sshpass
and then tests if the user is able to run sudo --stdin --validate
successfully.
To mitigate exposing the password (as best as I know?) I've opted to use sshpass
with -e
instead of -p
, but just wondering about the second part—the echo \"${SSHPASS}\" | sudo --stdin --validate
line.
After running this script and then looking through history
on the remote host, I could not see the password 'echoed' on the command line both in the user account or as root.
So my question is: Does echoing like this at the remote end expose the password anywhere (and if so, where?), or is this method below "fairly safe"?
User environment on both ends is Ubuntu 18 or 20.
#!/bin/bash
# obtain username and host from user input
read -p "Enter username@host: " remote
# obtain password from user input
read -r -s -p "Enter password: " SSHPASS
# set password as environment variable for `sshpass` below, it requires this for `-e`
export SSHPASS
echo
echo -n "Testing if can sudo on ${remote}... "
if result=$( sshpass -e ssh -o PasswordAuthentication=yes "${remote}" "echo \"${SSHPASS}\" | sudo --stdin --validate" 2>&1 ); then
echo "YES!"
else
echo "FAILED"
echo "${result}"
fi
unset SSHPASS
Best Answer
While it doesn't look like it, the password is actually exposed on the local and remote server.
The reason in both cases is that it is part of the command line of the processes, either
sshpass
or the more implicitbash -c
as outlined below.When you run a command via
ssh <host> <command>
, the command part is passed to the login shell via-c
. This implies that any user that is able to list processes can seebash -c "echo "<password>" | sudo --stdin --validate"
.If you want to test it out, a simple
while ! ps aux | grep '[s]udo'; do :; done
as any other user in the remote system should work. Note that this is an active wait loop and will spike CPU usage.To fix that, you should echo the password and pipe it to your SSH instead of having it echoed remotely:
echo "${SSHPASS}" | sshpass -e ssh -o PasswordAuthentication=yes "${remote}" "sudo --stdin --validate" 2>&1
.