Re: On why debugging OpenSSH can be so hard



No. He's saying that it leaks information that doesn't need to be leaked.

But this is a straw man argument.

Since nobody seems to be aware of how debugging works on OpenSSH, let me just tell you that there is a client process and a server process and they separately have debug modes. These debug modes are entirely independent from one another. And what is displayed on the server never gets near the client. The client debug mode could merely say "Login failed. Ask your admin to run in debug mode to diagnose this problem." and let it go at that. The server mode is where all the juicy details go.

Please let me know how the attacker is going to get the server into debug mode, let alone read its output?


For comparison, long long ago, there used to be different error messages when authentication failed. It would helpfully tell you that your password was wrong, or that you'd supplied the wrong username.
Great for debugging, right? Well yeah ... and it was great for enumerating the users on the box, making further attacks much simpler.

Apparently they had more diligent programmers back then; they just put the information in the wrong log file.

By the way, you might want to actually read the bug report. Nowhere is the OpenSSH programmer indicating any concern of security; he is even calling my suggestion "logspam". Then again, perhaps he's not aware of this supposedly long-debated security issue.
--

Maurice Volaski, mvolaski@xxxxxxxxxxxx
Computing Support, Rose F. Kennedy Center
Albert Einstein College of Medicine of Yeshiva University



Relevant Pages

  • Re: Debugging multiple applications in Eclpse
    ... Set breakpoints in server and client project, ... and start the server in debug mode and then the client in debug mode. ...
    (comp.lang.java.softwaretools)
  • Re: Need Singelton Process
    ... > I created an MDC dialog based application using MFC wizard with Automation ... > The invocation of the Server from TWO client process is invoking TWO ...
    (microsoft.public.vc.mfc)
  • Re: Type Not Found
    ... In the client process or on the server? ... The assembly does not appear to be strongly named, and so can't appear in the Global Assembly Cache, so how is the hosting servier going to locate it? ...
    (microsoft.public.dotnet.framework.remoting)
  • communication between vb and java
    ... I want a client to communication with a server(written ... by JAVA).In the debug mode, in the server side,the server call the java ... function "accept" to block and wait any request from client.Then a client ... programming point(under debug mode) move to next line.And the client go on ...
    (microsoft.public.vb.controls)
  • Re: ssh and public key auth
    ... You won't see it in debug mode from the *client*, ... The server could send an informational ... as that leaks potentially useful information to ...
    (comp.security.ssh)