Bug in all versions of OpenSSH

Dan Kaminsky dan at doxpara.com
Sat Apr 6 09:37:14 EST 2002


> Bug?  Hardly..
>
> does: ssh user at site ls   login in wtmp, utmp, secure, and lastlog?
>
> you are opening up a non-tty connection there is no logging of such
> information outside of the system logs.  Check this against every other
> ssh and rsh implementation.

Lots of things are broken by default; doesn't make them correct behavior.
Sites wishing to use wtmp etc. to do accounting on who came in from where do
legitimately need to worry about this trivial method of evading their
accounting systems.

What would be the harm of an option, or even a default, to force
system-level logging for forwarded commands?  Certain processes would
suddenly spawn massive numbers of logins(cvs?  scp?) but then these would be
processes that were absolutely hammering the SSH session init crypto code.

As is, it's sort of embarassing that I can evade basic system logs so
easily.  Telnet doesn't let you do this, and that's the status quo that
matters.

--Dan





More information about the openssh-unix-dev mailing list