Re: Extend logging of openssh-server - e.g. plaintext password

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Sun, Dec 18, 2016 at 9:42 AM, Philipp Vlassakakis
<philipp@xxxxxxxxxxxxxx> wrote:
> What part of „Password Authentication is disabled“ do you not understand?
>
>
> Am 18.12.2016 um 11:21 schrieb Nico Kadel-Garcia <nkadel@xxxxxxxxx>:
>
> On Sat, Dec 17, 2016 at 7:37 PM, Philipp Vlassakakis
> <philipp@xxxxxxxxxxxxxx> wrote:
>
> Dear list members,
>
> I want to extend the logging of the openssh-server, so it also logs the
> entered passwords in plaintext, and yes I know that this is a security
> issue, but relax, Password Authentication is disabled. ;)
>
>
> Oh, dear lord. What part of "a really bad idea and begging for pure
> abuse" is not clear about this idea? Simply setting up a fake server
> with a hostname similar to a common could encourage password
> harvesting.
>
> It would be much safer to simply avoid activating debugging tools that
> can be so abused.

What part of "actively supporting honeypots is a bad idea"  is unclear
to you, sir? This kind of built-in feature can, and will, be used by
malicious people to activate passphrase theft. By activating it
directly in the source code, it also makes it that much more difficult
to detect when someone can and has enabled such harvesting.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux