|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: SSH probe attack afoot?
From: Steve Bonds (lf5w3i702
sneakemail.com)
Date: Mon Feb 07 2005 - 15:48:23 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 07 Feb 2005 15:42:32 -0300, Martin Sarsale wrote:
> And: does ssh provides this kind of functionality? (I know it could be a
> security breach in case you type your root password in uppercase and it
> ends on your logs)
It's generally a Bad Idea to log passwords. This can open you up to
accusations of the US Federal crime of trafficking in passwords, even
if you're just using them internally. It also allows potentially
malicious users to deflect blame by claiming someone else had their
password.
Check this thread on the OpenSSH mailing list (Oct 20 2004) for
details on logging passwords:
http://marc.theaimsgroup.com/?t=109838679600001
With that said, this post (Oct 22 2004 by Baqrtek Krajnik) provides a
patch to auth-passwd.c to log each password used whether successful or
not.
http://marc.theaimsgroup.com/?l=secure-shell&m=109863906400531
-- Steve
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]