|
Bugtraq
mailing list archives
Re: SSHD-1 Logging Vulnerability
From: Markus Friedl <markus.friedl () INFORMATIK UNI-ERLANGEN DE>
Date: Sun, 11 Feb 2001 19:42:10 +0100
On Fri, Feb 09, 2001 at 06:23:07PM +0100, Florian Weimer wrote:
+ log_msg("Rhosts authentication failed for '%.100s', remote '%.100s', host '%.200s'.",
user, client_user, get_canonical_hostname());
I don't think this patch is a good idea. If a user accidentally
enters his password in place of his user name, the password will show
up in the log. That's probably the reason while logging is available
only in the debug mode. It should be sufficient to log the IP address
of the client trying to authenticate.
While I understand you concern, I am not sure whether this
applies to SSH clients, since they are usually very
different from telnet clients. You enter the usename when you
start the client, so it's hard to get out of sync, e.g. I
have never seen a user enter
$ ssh -l mypasswd host
This even applies to Windows SSH vs. telnet clients.
-markus
 By Date 
By Thread
Current thread:
|
Intro
