[ https://issues.apache.org/jira/browse/SSHD-1315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17649199#comment-17649199 ]
Roberto Deandrea commented on SSHD-1315: ---------------------------------------- Thomas, Thank you very much for your solution. Kind Regards Roberto > Password in clear in SSHD server's logs > --------------------------------------- > > Key: SSHD-1315 > URL: https://issues.apache.org/jira/browse/SSHD-1315 > Project: MINA SSHD > Issue Type: Improvement > Affects Versions: 2.8.0 > Reporter: Roberto Deandrea > Assignee: Thomas Wolf > Priority: Minor > Fix For: 2.9.3 > > > Hi Thomas, > I noticed that setting SLF4J log level {*}org.apache.sshd.*=finest{*}, the > password of an SSH client authenticating to SSHD server is logged on SSHD > server in "clear". > This could result in a privacy/security issues at companies with strict > security rules. > > Evidence of this behavior is in the following trace : > {color:#242424}[12/14/22 10:05:04:537 CET] 0000014e id=00000000 > org.apache.sshd.common.util.logging.LoggingUtils{color}{color:#242424} > {color}{color:#242424}3 logMessage > decode({*}ServerSessionImpl{*}[null@/172.18.0.1:34845]) packet #7 [chunk > #1](53/53) 32 00 00 00 05 70 61 72 74 31 00 00 00 0e 73 73 68 2d 63 6f 6e 6e > 65 63 74 69 6f 6e 00 00 00 08 70 61 73 73 77 6f 72 64 00 00 00 00 08 70 61 72 > 74 6e 65 72 31{color}{color:#242424} > {color}{color:#242424}2....{*}part1{*}....ssh-connection....password.....{*}partner1{*}{color} > > Questions. > 1. What do you think about this issue ? > 2. Did you ever think about obfuscating in some ways "clear passwords" in > logs? > 3. Other considerations ? > > Than you for your collaboration. > Kind Regards > Roberto Deandrea > -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org For additional commands, e-mail: dev-h...@mina.apache.org