No. He's saying that it leaks information that doesn't need to be leaked.
But this is a straw man argument.
Since nobody seems to be aware of how debugging works on OpenSSH, let
me just tell you that there is a client process and a server process
and they separately have debug modes. These debug modes are entirely
independent from one another. And what is displayed on the server
never gets near the client. The client debug mode could merely say
"Login failed. Ask your admin to run in debug mode to diagnose this
problem." and let it go at that. The server mode is where all the
juicy details go.
Please let me know how the attacker is going to get the server into
debug mode, let alone read its output?
For comparison, long long ago, there used to be different error
messages when authentication failed. It would helpfully tell you
that your password was wrong, or that you'd supplied the wrong
username.
Great for debugging, right? Well yeah ... and it was great for
enumerating the users on the box, making further attacks much
simpler.
Apparently they had more diligent programmers back then; they just
put the information in the wrong log file.
By the way, you might want to actually read the bug report. Nowhere
is the OpenSSH programmer indicating any concern of security; he is
even calling my suggestion "logspam". Then again, perhaps he's not
aware of this supposedly long-debated security issue.
--
Maurice Volaski, mvolaski@xxxxxxxxxxxx
Computing Support, Rose F. Kennedy Center
Albert Einstein College of Medicine of Yeshiva University
