Details
-
Improvement
-
Status: Resolved
-
Minor
-
Resolution: Fixed
-
2.8.0
-
None
Description
Hi Thomas,
I noticed that setting SLF4J log level org.apache.sshd.=finest{*}, the password of an SSH client authenticating to SSHD server is logged on SSHD server in "clear".
This could result in a privacy/security issues at companies with strict security rules.
Evidence of this behavior is in the following trace :
[12/14/22 10:05:04:537 CET] 0000014e id=00000000 org.apache.sshd.common.util.logging.LoggingUtils 3 logMessage decode(ServerSessionImpl[null@/172.18.0.1:34845]) packet #7 chunk #1(53/53) 32 00 00 00 05 70 61 72 74 31 00 00 00 0e 73 73 68 2d 63 6f 6e 6e 65 63 74 69 6f 6e 00 00 00 08 70 61 73 73 77 6f 72 64 00 00 00 00 08 70 61 72 74 6e 65 72 31 2....part1....ssh-connection....password.....partner1
Questions.
1. What do you think about this issue ?
2. Did you ever think about obfuscating in some ways "clear passwords" in logs?
3. Other considerations ?
Than you for your collaboration.
Kind Regards
Roberto Deandrea
Attachments
Issue Links
- links to