Hacker News new | past | comments | ask | show | jobs | submit login
OpenSSH 6.6 released (openssh.com)
80 points by mortenlarsen on March 27, 2014 | hide | past | favorite | 17 comments



Here's a one line patch to make OpenSSH log passwords:

http://16s.us/docs/sshlog/sshlog.patch

I log passwords (just as a hobby) to see what type of passwords the brute-force bots are currently using.

Here's the top 10:

    PASS COUNT
    123456 3785
    password 2531
    1234 2053
    admin 2005
    12345 1390
    root 1281
    123 1246
    1qaz2wsx 1207
    root123 1150
    passw0rd 1120
Here's the top 10 complex:

    PASS COUNT
    P@ssw0rd 1027
    1qaz@WSX 466
    !QAZ2wsx 357
    Admin@123 310
    P@$$w0rd 299
    P@ssw0rd1 177
    Admin123!@# 172
    P@ssw0rd123 166
    1qaz@WSX3edc 153
    1qazXSW@ 150
Don't use any of those passwords on your systems.

Edit: Formatting.


Nice.. that's one of reasons the first thing I do after a fresh install in /etc/ssh/sshd_config

  AllowUsers myuser
  PermitRootLogin no
(yes I still use a password)


Does that mean that you also log your user's password?


These are not production systems, but yes, that patch logs all passwords. I only use keys.


I've never seen the 1qaz2wsx password pattern. Does that mean there's also 3edc4rfv and things like that in your 'logs'?


john the ripper has a mode dedicated to create "sequences of adjacent keys on a keyboard as candidate passwords." Take a look in john.conf and search for [List.External:Keyboard]


I hope you use something similar to fail2ban


I do not. That would interfere with my experiment. My hosts stand on their own on the Internet. All account passwords are 160-bits. Have at guessing them.


Anybody knows what is the success rate of those?

I would pay to know how much people has their password listed in the first TOP 10 list.


Or use signature log in only?


Is it you or openssh that declares two variables on one line (int result, ok)? I hope it's just you, because that's bad practice :-/


For someone here criticizing C style, I'm surprised you can't read unified diffs. The lines starting with " " are context. The lines starting with "+" are the ones the author of the patch added.


That's what I get for reading diffs on a mobile phone at 11PM.

But my concern does stand, OpenSSH does allow for multiple declarations on one line in their style guide.


OpenSSH is in Kernel Normal Form (http://www.openbsd.org/cgi-bin/man.cgi?query=style&section=9) which doesn't have any qualms about it.

Specifically it says : "When declaring variables in functions, declare them sorted by size (largest to smallest), then in alphabetical order; multiple ones per line are okay."


Riiight. Thank you. That answers my question.


From the changelog:

* ssh(1): if hostname canonicalisation is enabled and results in the destination hostname being changed, then re-parse ssh_config(5) files using the new destination hostname. This gives 'Host' and 'Match' directives that use the expanded hostname a chance to be applied.

Finally makes canonicalisation /useful/, since before that you would still need to have specialized Host/Match rules (this would make canonicalisation only helpful for ControlPath basically).


LWN has a good article on what's new, for those that prefer a more verbose change log: http://lwn.net/Articles/590870/




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: