Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Ben Greenbaum: Re: SSHD-1 Logging Vulnerability

From: Bob Beck <beck () BOFH UCS UALBERTA CA>
Date: Mon, 12 Feb 2001 17:58:11 -0700
[users getting out of sync and passwords getting logged]



Not always. I can think of one Windows SSH client off the top of my head
that will prompt for the username and password seperately - SecureCRT. I'm
sure there are others as well that I'm just not thinking of right now...


    Well, that and it's easy to just brainfart and type a password
in when putty or some other silly client askes me who to log in as.

    Really all a moot point as long as the daemon logs using authpriv.
Your system should be set up to log that stuff to a file only root can read.
At that point only root can see when the user gets out of sync, and
heck, if they want to they can trojan the daemon to see what they
want anyway, assuming passwords are being used.

    If you arbitrarily syslog stuff like that to world readable files
you're running a big risk. The daemon needs to do it's part by
logging it to the authpriv facility so you can separate it, and after
that you need to make sure you set up syslog right.

      -Bob


cc:
Subject: Ben Greenbaum: Re: SSHD-1 Logging Vulnerability
--------


[users getting out of sync and passwords getting logged]



Not always. I can think of one Windows SSH client off the top of my head
that will prompt for the username and password seperately - SecureCRT. I'm
sure there are others as well that I'm just not thinking of right now...


    Well, that and even I sometimes just brainfart and type my password
in when putty or some other silly client askes me who to log in as.

    Really all a moot point as long as the daemon logs using authpriv
and your system is set up log that stuff to a root-readable only file.
At that point only root can see when the user gets out of sync, and
heck, if they want to they can trojan the daemon to see what they
want anyway.

    If you arbitrarily syslog stuff like that to world readable files
you're running a big risk. The daemon needs to do it's part by
logging it to the authpriv facility so you can separate it, and after
that you need to make sure you set up syslog right.

      -Bob
Previous By Date Next
Previous By Thread Next

Current thread: