Please accept my apologies. Sorry if my previous mails sound rude, it was not my intention. @Nico: What do you mean with „setting up a fake server“ ? Should I change my SSH-Port to a non-default port and install a SSH-Honeypot like Kippo, which listens on Port 22 as my „SSH-Honeypot-Password-Harvester“ ? With this solution i don’t have to modify the source code of the openssh-server-package. Regards, Philipp > Am 18.12.2016 um 18:05 schrieb Blumenthal, Uri - 0553 - MITLL <uri@xxxxxxxxxx>: > > I concur with Nico – logging plaintext passwords is an extremely bad idea. > > The tone of the poster also leaves much to be desired – but I’ll hold my tongue for now. > -- > Regards, > Uri Blumenthal > > On 12/18/16, 11:48, "openssh-unix-dev on behalf of Nico Kadel-Garcia" <openssh-unix-dev-bounces+uri=ll.mit.edu@xxxxxxxxxxx on behalf of nkadel@xxxxxxxxx> wrote: > > On Sun, Dec 18, 2016 at 9:42 AM, Philipp Vlassakakis > <philipp@xxxxxxxxxxxxxx> wrote: >> What part of „Password Authentication is disabled“ do you not understand? >> >> >> Am 18.12.2016 um 11:21 schrieb Nico Kadel-Garcia <nkadel@xxxxxxxxx>: >> >> On Sat, Dec 17, 2016 at 7:37 PM, Philipp Vlassakakis >> <philipp@xxxxxxxxxxxxxx> wrote: >> >> Dear list members, >> >> I want to extend the logging of the openssh-server, so it also logs the >> entered passwords in plaintext, and yes I know that this is a security >> issue, but relax, Password Authentication is disabled. ;) >> >> >> Oh, dear lord. What part of "a really bad idea and begging for pure >> abuse" is not clear about this idea? Simply setting up a fake server >> with a hostname similar to a common could encourage password >> harvesting. >> >> It would be much safer to simply avoid activating debugging tools that >> can be so abused. > > What part of "actively supporting honeypots is a bad idea" is unclear > to you, sir? This kind of built-in feature can, and will, be used by > malicious people to activate passphrase theft. By activating it > directly in the source code, it also makes it that much more difficult > to detect when someone can and has enabled such harvesting. > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
