Bugtraq mailing list archives
Re: SSHD-1 Logging Vulnerability
From: Markus Friedl <markus.friedl () INFORMATIK UNI-ERLANGEN DE>
Date: Sun, 11 Feb 2001 19:42:10 +0100
On Fri, Feb 09, 2001 at 06:23:07PM +0100, Florian Weimer wrote:
+ log_msg("Rhosts authentication failed for '%.100s', remote '%.100s', host '%.200s'.", user, client_user, get_canonical_hostname());I don't think this patch is a good idea. If a user accidentally enters his password in place of his user name, the password will show up in the log. That's probably the reason while logging is available only in the debug mode. It should be sufficient to log the IP address of the client trying to authenticate.
While I understand you concern, I am not sure whether this applies to SSH clients, since they are usually very different from telnet clients. You enter the usename when you start the client, so it's hard to get out of sync, e.g. I have never seen a user enter $ ssh -l mypasswd host This even applies to Windows SSH vs. telnet clients. -markus
Current thread:
- Re: SSHD-1 Logging Vulnerability Florian Weimer (Feb 10)
- Re: SSHD-1 Logging Vulnerability Markus Friedl (Feb 12)
- Re: SSHD-1 Logging Vulnerability Florian Weimer (Feb 12)
- Re: SSHD-1 Logging Vulnerability Grecni, Steve (Feb 12)
- <Possible follow-ups>
- Re: SSHD-1 Logging Vulnerability Ben Greenbaum (Feb 12)
- Re: SSHD-1 Logging Vulnerability Markus Friedl (Feb 12)