Extend logging of openssh-server - e.g. plaintext password

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Mon Dec 19 08:29:37 AEDT 2016


Depends on the question, and the potential (likely) consequences of the answer being implemented.

Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
  Original Message  
From: Alex Bligh
Sent: Sunday, December 18, 2016 16:14
To: Blumenthal, Uri - 0553 - MITLL
Cc: Alex Bligh; Nico Kadel-Garcia; Philipp Vlassakakis; openssh-unix-dev at mindrot.org
Subject: Re: Extend logging of openssh-server - e.g. plaintext password


> On 18 Dec 2016, at 19:07, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu> wrote:
> 
> Also, if password-based auth is not allowed, WTF would you want to log passwords?
> 
> This whole idea is ugly, and smacks of a teenage-level prank attempt.
> 
> I would strongly object against any such modification of the main source (though I'm sure the maintainers are sane enough to never let such a crap in).

Am I missing something? OP asked for a means of modifying *his own* openssh to
log passwords "only for his honeypots", and Stephen Harris replied telling him
how to do it, having done this as a demonstration that password authentication
is in general problematic (his blog article explains in essence that if
he can do this, anyone else can do this, and you might ssh to their server
by accident - let's ignore the unrecognised host key stuff).

No one has suggested adding this to the main source code. Clearly that
would be foolhardy.

Is it really necessary to jump down people's throats for a reasonably
phrased question, and an answer (with a reasonably well written blog
article) behind it?

--
Alex Bligh





-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4350 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161218/2a219565/attachment.bin>


More information about the openssh-unix-dev mailing list