Also, if password-based auth is not allowed, WTF would you want to log passwords? This whole idea is ugly, and smacks of a teenage-level prank attempt. I would strongly object against any such modification of the main source (though I'm sure the maintainers are sane enough to never let such a crap in). Of course the original poster is free to hack his own copy in whatever way he wants. P.S. This silliness underscores the value and timeliness of using hardware tokens & PK-based authentication. :-) Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. Original Message From: Nico Kadel-Garcia Sent: Sunday, December 18, 2016 12:56 To: Philipp Vlassakakis Cc: Blumenthal, Uri - 0553 - MITLL; openssh-unix-dev@xxxxxxxxxxx Subject: Re: Extend logging of openssh-server - e.g. plaintext password On Sun, Dec 18, 2016 at 12:26 PM, Philipp Vlassakakis <philipp@xxxxxxxxxxxxxx> wrote: > Please accept my apologies. Sorry if my previous mails sound rude, it was not my intention. > > @Nico: > What do you mean with „setting up a fake server“ ? > Should I change my SSH-Port to a non-default port and install a SSH-Honeypot like Kippo, which listens on Port 22 as my „SSH-Honeypot-Password-Harvester“ ? > > With this solution i don’t have to modify the source code of the openssh-server-package. > > Regards, > Philipp By setting up a fake server, I mean scenarios like this. * I have web server in my company with or without passphrase access enabled called "www.example.com" * I have dynamic DNS enabled, as well, for laptops. * Some fool names their laptop "ww.example.com" in my local DNS, * The new admin at work, unaware of this "we don't allow PassPhrase based access", tries to log into "www.example.com". * The new admin uses his password. Having difficulty logging into the honeypot, he then tries to log in as root or other administrtive accounts. * The honeypoyt now has copies of the login names, and passphrases, stored in cleartext, without having to modify a single line of their OpenSSH source code or a single byte of their binary. * Voila: stashed passphrases and login names for the deired "www.example.com". The possibilities, individually, may not seem to be high. But there are so very many potential ways to abuse this it seems extremely wise to enable at all, much less as a built-in feature.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
