openssh unix dev - Dec 2016 - Extend logging of openssh-server - e.g. plaintext password

What part of ?Password Authentication is disabled? do you not understand?

> Am 18.12.2016 um 11:21 schrieb Nico Kadel-Garcia <nkadel at
gmail.com>:
> 
> On Sat, Dec 17, 2016 at 7:37 PM, Philipp Vlassakakis
> <philipp at vlassakakis.de> wrote:
>> Dear list members,
>> 
>> I want to extend the logging of the openssh-server, so it also logs the
entered passwords in plaintext, and yes I know that this is a security issue,
but relax, Password Authentication is disabled. ;)
> 
> Oh, dear lord. What part of "a really bad idea and begging for pure
> abuse" is not clear about this idea? Simply setting up a fake server
> with a hostname similar to a common could encourage password
> harvesting.
> 
> It would be much safer to simply avoid activating debugging tools that
> can be so abused.

On Sun, Dec 18, 2016 at 9:42 AM, Philipp Vlassakakis
<philipp at vlassakakis.de> wrote:
> What part of ?Password Authentication is disabled? do you not understand?
>
>
> Am 18.12.2016 um 11:21 schrieb Nico Kadel-Garcia <nkadel at
gmail.com>:
>
> On Sat, Dec 17, 2016 at 7:37 PM, Philipp Vlassakakis
> <philipp at vlassakakis.de> wrote:
>
> Dear list members,
>
> I want to extend the logging of the openssh-server, so it also logs the
> entered passwords in plaintext, and yes I know that this is a security
> issue, but relax, Password Authentication is disabled. ;)
>
>
> Oh, dear lord. What part of "a really bad idea and begging for pure
> abuse" is not clear about this idea? Simply setting up a fake server
> with a hostname similar to a common could encourage password
> harvesting.
>
> It would be much safer to simply avoid activating debugging tools that
> can be so abused.
What part of "actively supporting honeypots is a bad idea"  is unclear
to you, sir? This kind of built-in feature can, and will, be used by
malicious people to activate passphrase theft. By activating it
directly in the source code, it also makes it that much more difficult
to detect when someone can and has enabled such harvesting.

I concur with Nico ? logging plaintext passwords is an extremely bad idea.

The tone of the poster also leaves much to be desired ? but I?ll hold my tongue
for now.
--
Regards,
Uri Blumenthal

On 12/18/16, 11:48, "openssh-unix-dev on behalf of Nico Kadel-Garcia"
<openssh-unix-dev-bounces+uri=ll.mit.edu at mindrot.org on behalf of nkadel
at gmail.com> wrote:

    On Sun, Dec 18, 2016 at 9:42 AM, Philipp Vlassakakis
    <philipp at vlassakakis.de> wrote:
    > What part of ?Password Authentication is disabled? do you not
understand?
    >
    >
    > Am 18.12.2016 um 11:21 schrieb Nico Kadel-Garcia <nkadel at
gmail.com>:
    >
    > On Sat, Dec 17, 2016 at 7:37 PM, Philipp Vlassakakis
    > <philipp at vlassakakis.de> wrote:
    >
    > Dear list members,
    >
    > I want to extend the logging of the openssh-server, so it also logs the
    > entered passwords in plaintext, and yes I know that this is a security
    > issue, but relax, Password Authentication is disabled. ;)
    >
    >
    > Oh, dear lord. What part of "a really bad idea and begging for
pure
    > abuse" is not clear about this idea? Simply setting up a fake
server
    > with a hostname similar to a common could encourage password
    > harvesting.
    >
    > It would be much safer to simply avoid activating debugging tools that
    > can be so abused.
    
    What part of "actively supporting honeypots is a bad idea"  is
unclear
    to you, sir? This kind of built-in feature can, and will, be used by
    malicious people to activate passphrase theft. By activating it
    directly in the source code, it also makes it that much more difficult
    to detect when someone can and has enabled such harvesting.
    _______________________________________________
    openssh-unix-dev mailing list
    openssh-unix-dev at mindrot.org
    https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
    
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5211 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161218/b47ed2c5/attachment.bin>