ssh -2 and hostbasedauth

Dan Astoorian djast at cs.toronto.edu
Sat Nov 17 04:16:10 EST 2001


On Fri, 16 Nov 2001 11:16:44 EST, Markus Friedl writes:
> 
> however, i think we can add debug messages and make
> debug messages an option.

Defaulting to off, I trust?  ("Debug mode."  Sendmail.  'nuff said.  ;-) )

I think that if this is done, it might be worth considering (if this
isn't already what you had in mind) setting it up such that if the
client requests it, debug messages--at least the ones which disclose
questionable information--are produced and logged on the server side,
but _not_ sent back to the client.

That way, the sysadmin doesn't have to turn on the debug messages
globally to troubleshoot a particular authentication problem, but
legitimate users can still cause useful debugging info to be produced
for the sysadmin.

Whether such logs should be readable by unprivileged users on the server
side is debatable, but my instinct is that they shouldn't be, since that
could allow local users to gain information about each others'
authentication setup.

(As an example, I'm not sure it's appropriate that sshd will report
"Accepted by .shosts" back to the client before verifying the host key;
I haven't thought through whether this could be used by an attacker to
verify the contents of an .shosts file by IP spoofing, or what the
implications of this might be.)

-- 
Dan Astoorian               People shouldn't think that it's better to have
Sysadmin, CSLab             loved and lost than never loved at all.  It's
djast at cs.toronto.edu        not, it's better to have loved and won.  All
www.cs.toronto.edu/~djast/  the other options really suck.    --Dan Redican



More information about the openssh-unix-dev mailing list