> On 18 Dec 2016, at 19:07, Blumenthal, Uri - 0553 - MITLL <uri@xxxxxxxxxx> wrote: > > Also, if password-based auth is not allowed, WTF would you want to log passwords? > > This whole idea is ugly, and smacks of a teenage-level prank attempt. > > I would strongly object against any such modification of the main source (though I'm sure the maintainers are sane enough to never let such a crap in). Am I missing something? OP asked for a means of modifying *his own* openssh to log passwords "only for his honeypots", and Stephen Harris replied telling him how to do it, having done this as a demonstration that password authentication is in general problematic (his blog article explains in essence that if he can do this, anyone else can do this, and you might ssh to their server by accident - let's ignore the unrecognised host key stuff). No one has suggested adding this to the main source code. Clearly that would be foolhardy. Is it really necessary to jump down people's throats for a reasonably phrased question, and an answer (with a reasonably well written blog article) behind it? -- Alex Bligh
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev