Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Ben Greenbaum: Re: SSHD-1 Logging Vulnerability
From: Bob Beck <beck () BOFH UCS UALBERTA CA>
Date: Mon, 12 Feb 2001 17:58:11 -0700
[users getting out of sync and passwords getting logged]



Not always. I can think of one Windows SSH client off the top of my head
that will prompt for the username and password seperately - SecureCRT. I'm
sure there are others as well that I'm just not thinking of right now...


    Well, that and it's easy to just brainfart and type a password
in when putty or some other silly client askes me who to log in as.

    Really all a moot point as long as the daemon logs using authpriv.
Your system should be set up to log that stuff to a file only root can read.
At that point only root can see when the user gets out of sync, and
heck, if they want to they can trojan the daemon to see what they
want anyway, assuming passwords are being used.

    If you arbitrarily syslog stuff like that to world readable files
you're running a big risk. The daemon needs to do it's part by
logging it to the authpriv facility so you can separate it, and after
that you need to make sure you set up syslog right.

      -Bob


cc:
Subject: Ben Greenbaum: Re: SSHD-1 Logging Vulnerability
--------


[users getting out of sync and passwords getting logged]



Not always. I can think of one Windows SSH client off the top of my head
that will prompt for the username and password seperately - SecureCRT. I'm
sure there are others as well that I'm just not thinking of right now...


    Well, that and even I sometimes just brainfart and type my password
in when putty or some other silly client askes me who to log in as.

    Really all a moot point as long as the daemon logs using authpriv
and your system is set up log that stuff to a root-readable only file.
At that point only root can see when the user gets out of sync, and
heck, if they want to they can trojan the daemon to see what they
want anyway.

    If you arbitrarily syslog stuff like that to world readable files
you're running a big risk. The daemon needs to do it's part by
logging it to the authpriv facility so you can separate it, and after
that you need to make sure you set up syslog right.

      -Bob

  By Date           By Thread  

Current thread:
  • Ben Greenbaum: Re: SSHD-1 Logging Vulnerability Bob Beck (Feb 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]