You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mina.apache.org by "Roberto Deandrea (Jira)" <ji...@apache.org> on 2022/12/14 09:18:00 UTC

[jira] [Created] (SSHD-1315) Password in clear in SSHD server's logs

Roberto Deandrea created SSHD-1315:
--------------------------------------

             Summary: Password in clear in SSHD server's logs
                 Key: SSHD-1315
                 URL: https://issues.apache.org/jira/browse/SSHD-1315
             Project: MINA SSHD
          Issue Type: Improvement
    Affects Versions: 2.8.0
            Reporter: Roberto Deandrea


Hi Thomas,

I noticed that setting SLF4J log level {*}org.apache.sshd.*=finest{*}, the password of an SSH client authenticating to SSHD server is logged on SSHD server in "clear".

This could result in a privacy/security issues at companies with strict security rules.

 

Evidence of this behavior is in the following trace :

{color:#242424}[12/14/22 10:05:04:537 CET] 0000014e id=00000000 org.apache.sshd.common.util.logging.LoggingUtils{color}{color:#242424}             {color}{color:#242424}3 logMessage decode({*}ServerSessionImpl{*}[null@/172.18.0.1:34845]) packet #7 [chunk #1](53/53) 32 00 00 00 05 70 61 72 74 31 00 00 00 0e 73 73 68 2d 63 6f 6e 6e 65 63 74 69 6f 6e 00 00 00 08 70 61 73 73 77 6f 72 64 00 00 00 00 08 70 61 72 74 6e 65 72 31{color}{color:#242424}                                     {color}{color:#242424}2....{*}part1{*}....ssh-connection....password.....{*}partner1{*}{color}

 

Questions.

1. What do you think about this issue ?

2. Did you ever think about obfuscating in some ways "clear passwords" in logs?

3. Other considerations ?

 

Than you for your collaboration.

Kind Regards

Roberto Deandrea

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org