Extend logging of openssh-server - e.g. plaintext password

Philipp Vlassakakis philipp at vlassakakis.de
Mon Dec 19 04:26:55 AEDT 2016 

Please accept my apologies. Sorry if my previous mails sound rude, it was not my intention.

@Nico:
What do you mean with „setting up a fake server“ ?
Should I change my SSH-Port to a non-default port and install a SSH-Honeypot like Kippo, which listens on Port 22 as my „SSH-Honeypot-Password-Harvester“ ?

With this solution i don’t have to modify the source code of the openssh-server-package.

Regards,
Philipp

> Am 18.12.2016 um 18:05 schrieb Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu>:
> 
> I concur with Nico – logging plaintext passwords is an extremely bad idea.
> 
> The tone of the poster also leaves much to be desired – but I’ll hold my tongue for now.
> --
> Regards,
> Uri Blumenthal
> 
> On 12/18/16, 11:48, "openssh-unix-dev on behalf of Nico Kadel-Garcia" <openssh-unix-dev-bounces+uri=ll.mit.edu at mindrot.org on behalf of nkadel at gmail.com> wrote:
> 
>    On Sun, Dec 18, 2016 at 9:42 AM, Philipp Vlassakakis
>    <philipp at vlassakakis.de> wrote:
>> What part of „Password Authentication is disabled“ do you not understand?
>> 
>> 
>> Am 18.12.2016 um 11:21 schrieb Nico Kadel-Garcia <nkadel at gmail.com>:
>> 
>> On Sat, Dec 17, 2016 at 7:37 PM, Philipp Vlassakakis
>> <philipp at vlassakakis.de> wrote:
>> 
>> Dear list members,
>> 
>> I want to extend the logging of the openssh-server, so it also logs the
>> entered passwords in plaintext, and yes I know that this is a security
>> issue, but relax, Password Authentication is disabled. ;)
>> 
>> 
>> Oh, dear lord. What part of "a really bad idea and begging for pure
>> abuse" is not clear about this idea? Simply setting up a fake server
>> with a hostname similar to a common could encourage password
>> harvesting.
>> 
>> It would be much safer to simply avoid activating debugging tools that
>> can be so abused.
> 
>    What part of "actively supporting honeypots is a bad idea"  is unclear
>    to you, sir? This kind of built-in feature can, and will, be used by
>    malicious people to activate passphrase theft. By activating it
>    directly in the source code, it also makes it that much more difficult
>    to detect when someone can and has enabled such harvesting.
>    _______________________________________________
>    openssh-unix-dev mailing list
>    openssh-unix-dev at mindrot.org
>    https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list