19 comments

[ 3.6 ms ] story [ 49.7 ms ] thread
From the changelog:

* ssh(1): if hostname canonicalisation is enabled and results in the destination hostname being changed, then re-parse ssh_config(5) files using the new destination hostname. This gives 'Host' and 'Match' directives that use the expanded hostname a chance to be applied.

Finally makes canonicalisation /useful/, since before that you would still need to have specialized Host/Match rules (this would make canonicalisation only helpful for ControlPath basically).

Here's a one line patch to make OpenSSH log passwords:

http://16s.us/docs/sshlog/sshlog.patch

I log passwords (just as a hobby) to see what type of passwords the brute-force bots are currently using.

Here's the top 10:

    PASS COUNT
    123456 3785
    password 2531
    1234 2053
    admin 2005
    12345 1390
    root 1281
    123 1246
    1qaz2wsx 1207
    root123 1150
    passw0rd 1120
Here's the top 10 complex:

    PASS COUNT
    P@ssw0rd 1027
    1qaz@WSX 466
    !QAZ2wsx 357
    Admin@123 310
    P@$$w0rd 299
    P@ssw0rd1 177
    Admin123!@# 172
    P@ssw0rd123 166
    1qaz@WSX3edc 153
    1qazXSW@ 150
Don't use any of those passwords on your systems.

Edit: Formatting.

Does that mean that you also log your user's password?
These are not production systems, but yes, that patch logs all passwords. I only use keys.
(comment deleted)
Is it you or openssh that declares two variables on one line (int result, ok)? I hope it's just you, because that's bad practice :-/
For someone here criticizing C style, I'm surprised you can't read unified diffs. The lines starting with " " are context. The lines starting with "+" are the ones the author of the patch added.
That's what I get for reading diffs on a mobile phone at 11PM.

But my concern does stand, OpenSSH does allow for multiple declarations on one line in their style guide.

OpenSSH is in Kernel Normal Form (http://www.openbsd.org/cgi-bin/man.cgi?query=style&section=9) which doesn't have any qualms about it.

Specifically it says : "When declaring variables in functions, declare them sorted by size (largest to smallest), then in alphabetical order; multiple ones per line are okay."

Riiight. Thank you. That answers my question.
(comment deleted)
I've never seen the 1qaz2wsx password pattern. Does that mean there's also 3edc4rfv and things like that in your 'logs'?
john the ripper has a mode dedicated to create "sequences of adjacent keys on a keyboard as candidate passwords." Take a look in john.conf and search for [List.External:Keyboard]
Nice.. that's one of reasons the first thing I do after a fresh install in /etc/ssh/sshd_config

  AllowUsers myuser
  PermitRootLogin no
(yes I still use a password)
I hope you use something similar to fail2ban
I do not. That would interfere with my experiment. My hosts stand on their own on the Internet. All account passwords are 160-bits. Have at guessing them.
Anybody knows what is the success rate of those?

I would pay to know how much people has their password listed in the first TOP 10 list.