[
https://issues.apache.org/jira/browse/SSHD-1315?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Thomas Wolf updated SSHD-1315:
------------------------------
Fix Version/s: 2.10.0
(was: 2.9.3)
> Password in clear in SSHD server's logs
> ---------------------------------------
>
> Key: SSHD-1315
> URL: https://issues.apache.org/jira/browse/SSHD-1315
> Project: MINA SSHD
> Issue Type: Improvement
> Affects Versions: 2.8.0
> Reporter: Roberto Deandrea
> Assignee: Thomas Wolf
> Priority: Minor
> Fix For: 2.10.0
>
>
> Hi Thomas,
> I noticed that setting SLF4J log level {*}org.apache.sshd.*=finest{*}, the
> password of an SSH client authenticating to SSHD server is logged on SSHD
> server in "clear".
> This could result in a privacy/security issues at companies with strict
> security rules.
>
> Evidence of this behavior is in the following trace :
> {color:#242424}[12/14/22 10:05:04:537 CET] 0000014e id=00000000
> org.apache.sshd.common.util.logging.LoggingUtils{color}{color:#242424}
> {color}{color:#242424}3 logMessage
> decode({*}ServerSessionImpl{*}[null@/172.18.0.1:34845]) packet #7 [chunk
> #1](53/53) 32 00 00 00 05 70 61 72 74 31 00 00 00 0e 73 73 68 2d 63 6f 6e 6e
> 65 63 74 69 6f 6e 00 00 00 08 70 61 73 73 77 6f 72 64 00 00 00 00 08 70 61 72
> 74 6e 65 72 31{color}{color:#242424}
> {color}{color:#242424}2....{*}part1{*}....ssh-connection....password.....{*}partner1{*}{color}
>
> Questions.
> 1. What do you think about this issue ?
> 2. Did you ever think about obfuscating in some ways "clear passwords" in
> logs?
> 3. Other considerations ?
>
> Than you for your collaboration.
> Kind Regards
> Roberto Deandrea
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
