Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Re: SSHD-1 Logging Vulnerability

Re: SSHD-1 Logging Vulnerability

From: Florian Weimer <Florian.Weimer_at_RUS.UNI-STUTTGART.DE>
Date: Mon, 12 Feb 2001 16:03:24 +0100

Markus Friedl <markus.friedl_at_informatik.uni-erlangen.de> writes:

[Logging user names harmful or not?]

> While I understand you concern, I am not sure whether this
> applies to SSH clients, since they are usually very
> different from telnet clients. You enter the usename when you
> start the client, so it's hard to get out of sync, e.g. I
> have never seen a user enter
> $ ssh -l mypasswd host

Yes, this is certainly correct for the traditional command line
clients.

> This even applies to Windows SSH vs. telnet clients.

IIRC, Teraterm has a combined dialog box for entering password and
user name, and I think you can confuse one with the other. 

--
Florian Weimer 	                  Florian.Weimer_at_RUS.Uni-Stuttgart.DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898
Received on Feb 12 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]