openssh unix dev - Dec 2016 - Extend logging of openssh-server - e.g. plaintext password

Also, if password-based auth is not allowed, WTF would you want to log
passwords?

This whole idea is ugly, and smacks of a teenage-level prank attempt.

I would strongly object against any such modification of the main source (though
I'm sure the maintainers are sane enough to never let such a crap in).

Of course the original poster is free to hack his own copy in whatever way he
wants.?

P.S. This silliness underscores the value and timeliness of using? hardware
tokens & PK-based authentication. :-)

Sent?from?my?BlackBerry?10?smartphone?on?the Verizon?Wireless?4G?LTE?network.
? Original Message ?
From: Nico Kadel-Garcia
Sent: Sunday, December 18, 2016 12:56
To: Philipp Vlassakakis
Cc: Blumenthal, Uri - 0553 - MITLL; openssh-unix-dev at mindrot.org
Subject: Re: Extend logging of openssh-server - e.g. plaintext password

On Sun, Dec 18, 2016 at 12:26 PM, Philipp Vlassakakis
<philipp at vlassakakis.de> wrote:
> Please accept my apologies. Sorry if my previous mails sound rude, it was
not my intention.
>
> @Nico:
> What do you mean with ?setting up a fake server? ?
> Should I change my SSH-Port to a non-default port and install a
SSH-Honeypot like Kippo, which listens on Port 22 as my
?SSH-Honeypot-Password-Harvester? ?
>
> With this solution i don?t have to modify the source code of the
openssh-server-package.
>
> Regards,
> Philipp
?
By setting up a fake server, I mean scenarios like this.

* I have web server in my company with or without passphrase access
enabled called "www.example.com"
* I have dynamic DNS enabled, as well, for laptops.
* Some fool names their laptop "ww.example.com" in my local DNS,
* The new admin at work, unaware of this "we don't allow PassPhrase
based access", tries to log into "www.example.com".
* The new admin uses his password. Having difficulty logging into the
honeypot, he then tries to log in as root or other administrtive
accounts.
* The honeypoyt now has copies of the login names, and passphrases,
stored in cleartext, without having to modify a single line of their
OpenSSH source code or a single byte of their binary.
* Voila: stashed passphrases and login names for the deired
"www.example.com".

The possibilities, individually, may not seem to be high. But there
are so very many potential ways to abuse this it seems extremely wise
to enable at all, much less as a built-in feature.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4350 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161218/ff134fb8/attachment-0001.bin>

> On 18 Dec 2016, at 19:07, Blumenthal, Uri - 0553 - MITLL <uri at
ll.mit.edu> wrote:
> 
> Also, if password-based auth is not allowed, WTF would you want to log
passwords?
> 
> This whole idea is ugly, and smacks of a teenage-level prank attempt.
> 
> I would strongly object against any such modification of the main source
(though I'm sure the maintainers are sane enough to never let such a crap
in).
Am I missing something? OP asked for a means of modifying *his own* openssh to
log passwords "only for his honeypots", and Stephen Harris replied
telling him
how to do it, having done this as a demonstration that password authentication
is in general problematic (his blog article explains in essence that if
he can do this, anyone else can do this, and you might ssh to their server
by accident - let's ignore the unrecognised host key stuff).

No one has suggested adding this to the main source code. Clearly that
would be foolhardy.

Is it really necessary to jump down people's throats for a reasonably
phrased question, and an answer (with a reasonably well written blog
article) behind it?

--
Alex Bligh




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161218/1870ac46/attachment.bin>

Depends on the question, and the potential (likely) consequences of the answer
being implemented.

Sent?from?my?BlackBerry?10?smartphone?on?the Verizon?Wireless?4G?LTE?network.
? Original Message ?
From: Alex Bligh
Sent: Sunday, December 18, 2016 16:14
To: Blumenthal, Uri - 0553 - MITLL
Cc: Alex Bligh; Nico Kadel-Garcia; Philipp Vlassakakis; openssh-unix-dev at
mindrot.org
Subject: Re: Extend logging of openssh-server - e.g. plaintext password

> On 18 Dec 2016, at 19:07, Blumenthal, Uri - 0553 - MITLL <uri at
ll.mit.edu> wrote:
> 
> Also, if password-based auth is not allowed, WTF would you want to log
passwords?
> 
> This whole idea is ugly, and smacks of a teenage-level prank attempt.
> 
> I would strongly object against any such modification of the main source
(though I'm sure the maintainers are sane enough to never let such a crap
in).
Am I missing something? OP asked for a means of modifying *his own* openssh to
log passwords "only for his honeypots", and Stephen Harris replied
telling him
how to do it, having done this as a demonstration that password authentication
is in general problematic (his blog article explains in essence that if
he can do this, anyone else can do this, and you might ssh to their server
by accident - let's ignore the unrecognised host key stuff).

No one has suggested adding this to the main source code. Clearly that
would be foolhardy.

Is it really necessary to jump down people's throats for a reasonably
phrased question, and an answer (with a reasonably well written blog
article) behind it?

--
Alex Bligh





-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4350 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161218/2a219565/attachment.bin>