Re: SSHD-1 Logging Vulnerability

["Grecni, Steve" <steve () STEEM COM>]

On Sun, 11 Feb 2001, Markus Friedl wrote:

> On Fri, Feb 09, 2001 at 06:23:07PM +0100, Florian Weimer wrote:
> > > +          log_msg("Rhosts authentication failed for '%.100s', remote '%.100s', host '%.200s'.",
> > >                  user, client_user, get_canonical_hostname());
> >
> > I don't think this patch is a good idea.  If a user accidentally
> > enters his password in place of his user name, the password will show
> > up in the log.  That's probably the reason while logging is available
> > only in the debug mode.  It should be sufficient to log the IP address
> > of the client trying to authenticate.
>
> While I understand you concern, I am not sure whether this
> applies to SSH clients, since they are usually very
> different from telnet clients. You enter the usename when you
> start the client, so it's hard to get out of sync, e.g. I
> have never seen a user enter
>       $ ssh -l mypasswd host
> This even applies to Windows SSH vs. telnet clients.
>
> -markus

I hate to keep this thread going, but this isn't entirely true.  There's
no reason an ssh client can't prompt you for a username AND password if
the username isn't given upon program execution.  In fact this is the case
for putty (windows ssh client), if you don't enter in a username for a
host, then it prompt you for one, ala telnet.  This is how I run putty
actually, it's convenient when you have multiple accounts on the same
machine.  Now I'm not saying don't log the username because of this one
client, but there may be more that I'm not aware of.


----------
Steve Grecni        Programmer
Build your world.   http://STEEM.com