Re: SSHD-1 Logging Vulnerability

[Markus Friedl <markus.friedl () INFORMATIK UNI-ERLANGEN DE>]

On Fri, Feb 09, 2001 at 06:23:07PM +0100, Florian Weimer wrote:
> > +          log_msg("Rhosts authentication failed for '%.100s', remote '%.100s', host '%.200s'.",
> >                  user, client_user, get_canonical_hostname());
>
> I don't think this patch is a good idea.  If a user accidentally
> enters his password in place of his user name, the password will show
> up in the log.  That's probably the reason while logging is available
> only in the debug mode.  It should be sufficient to log the IP address
> of the client trying to authenticate.

While I understand you concern, I am not sure whether this
applies to SSH clients, since they are usually very
different from telnet clients. You enter the usename when you
start the client, so it's hard to get out of sync, e.g. I
have never seen a user enter
        $ ssh -l mypasswd host
This even applies to Windows SSH vs. telnet clients.

-markus