Re: Logging attempted passwords

From: Derek Martin (code_at_pizzashack.org)
Date: 10/24/04

  • Next message: Bucaille, Lionel: "RE: port forwarding and oracle" 
    Date: Mon, 25 Oct 2004 02:48:43 +0900
To: secureshell@securityfocus.com

    On Fri, Oct 22, 2004 at 08:03:19AM -0400, Greg Wooledge wrote:
    > On Fri, Oct 22, 2004 at 02:57:24PM +0900, Derek Martin wrote:
    > > David appears to be asking for the PASSWORD the user used on a failed
    > > attempt. I'm not 100% positive, but I believe OpenSSH does not
    > > provide a mechanism to get the password.
    >
    > Logging failed passwords is a Very Bad Idea if you actually *use*
    > password authentication.

    In general, I agree. It's also not really cool for the admins to be
    able to see what passwords people are using. But on the other hand,
    that does not mean there might not be legitimate reasons to want to
    see the passwords that people are trying... In some rare and extreme
    cases, I can even conceive of it being possible to know passwords that
    people are successfully using... such as (perhaps) when tracking a
    cracker illegally accessing your systems. As others have pointed out,
    desirable or not, it's not that hard to get this by making small
    modifications to the source code...

    In any event, that was what the OP asked for, and that was the
    question I addressed.

    > Suppose your password is 'Open*SSH-3.9' (without the quotes). But
    > that's pretty hard to type on some keyboards with hyperactive Shift
    > keys, so maybe you fail by accidentally typing 'OPen*SSH-3.9', and
    > that gets logged. Now, someone gets hold of your logs (by whatever
    > means). Do you think your password is "safe" any more?

    No, but even if my password is not logged in some log, I would think
    my password was not safe if I knew that someone had gotten a hold of
    the logs... If the system is compromised, then all bets are off.
    It's that simple. Under such circumstances, you'd better change your
    password, regardless (and re-install the OS from known-clean media,
    and apply all updates before re-connecting it to the network, and)... 

    -- 
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D

  • Next message: Bucaille, Lionel: "RE: port forwarding and oracle"

    Relevant Pages

    • Re: Web site cant be browsed when logging out from IISv6.0 Server
      ... Well, as David has outlined, there is not much for us to go on. ... Your logs show that there is a failure to instance some object ... browse the website. ...
      (microsoft.public.inetserver.iis.security)
    • Re: Closed form for series
      ... Thanks to both, David and Rob. ... Taking logs on both sides of, ... term on the left is the same as the first term in David's expression, ... Is my taking the log of an infinite product silly? ...
      (sci.math)
    • Re: win2k Webserver
      ... IIS logs are not written on the fly, but more of a when service has time. ... I hope your Win2K server is firewall protected and you are allowing only ... "David Shorthouse" wrote in message ...
      (microsoft.public.win2000.security)
    • Re: Apache Rotate Logs and Log Rotate.
      ... I had already configured it like that the first time around after reading up on it a bit. ... Most articles/tips I have read say to wait 10 minutes or so and then compress the logs with a shell script in order to be sure Apache finished logging to the files. ... David Robillard wrote: ... newsyslog.confconfiguration should look like. ...
      (freebsd-questions)
    • System shutting down all the time
      ... was Blaster worm, but was nowhere on my PC. ... tracking through logs in Event Viewer, ...
      (microsoft.public.windowsxp.security_admin)
    • Quantcast