Description of problem:
This is not a bug, but rather a possible security breach vector, for which a 
trivial patch may be applied.

When a user connects and/or attempts login to openssh (any version up through 
4.x AFAIK), whether the username is valid or not, openssh writes the username 
attempted to /var/log/secure (on RedHat in particular, other systems may use 
different filenames depending on the syslog config) -- sounds fine. If, for 
whatever reason, the user logging is is legitimate, and *accidently* enters the 
password instead of the username when prompted for their username (this is 
easily done, e.g. when using PuTTY), then a cleartext password is dropped in 
the syslog! Since the chances are [should be] small of having an account 
password even close to something recognizable as a username, wouldn't it be 
prudent to never write the username given to the syslog, *if* there is no valid 
account on the system? If the account is valid, there should be less of a 
problem with writing a username, as the username should never also be the 
password (of course!). 

Couple with this observation, that if you allow logwatch to send mail daily, 
and you decide to alias
root:     someone
in /etc/aliases, now instead of being *relatively* safe on the local system, a 
cleartext password can be transmitted through email. Ugh!

I suppose the openssh maintainer(s) (Theo) are ultimately responsible for 
enhancing their product as they see fit, however, since there is little chance 
that this "bug report" will be suitably worrisome to plenty of people, I doubt 
any action will be taken on their part. And even if it did, it would not be 
officially backported most likely, thus, users of RHEL will be stuck using an 
sshd which might eventually abet a system compromise -- not likely perhaps for 
most systems, but there's a chance.

I therefore, humbly offer, this trivial (?) patch to be included in the next 
official RHEL release of the OpenSSH package:

## cut here

--- openssh-3.6.1p2/auth.c      2003-01-18 00:24:06.000000000 -0500
+++ openssh-3.6.1p2/NEWauth.c   2005-05-31 10:47:43.000000000 -0400
@@ -263,7 +263,7 @@
            authmsg,
            method,
            authctxt->valid ? "" : "illegal user ",
-           authctxt->user,
+           authctxt->valid ? authctxt->user : "UNKNOWN",
            get_remote_ipaddr(),
            get_remote_port(),
            info);
@@ -494,8 +494,8 @@

        pw = getpwnam(user);
        if (pw == NULL) {
-               log("Illegal user %.100s from %.100s",
-                   user, get_remote_ipaddr());
+               log("Illegal user UNKNOWN from %.100s",
+                   get_remote_ipaddr());
 #ifdef WITH_AIXAUTHENTICATE
                loginfailed(user,
                    get_canonical_hostname(options.verify_reverse_mapping),


## cut here

this will keep from happening to you, what happened to me, using putty when I 
was tired ;)


Version-Release number of selected component:
openssh-3.6.1p2-33.30.4


How reproducible:
Every time

Steps to Reproduce:
1. Login to sshd with PuTTY
2. Give the cleartext password when prompted "login as: " rather than the 
expected username
3. tail /var/log/secure

Actual results:
The cleartext password is written to /var/log/secure AND when logwatch runs 
next time, the cleartext password is sent to root (and whoever else root is 
aliased to!!)

Expected results:
These are expected, but not desirable (at least not to me) results.

Additional info:
This is truly an openssh "bug", but I don't have the intestinal fortitude to 
get into an argument with Theo (who I respect greatly!) about why this is/is 
not a big deal.

If in fact the syslog file has sufficiently stingy permissions, and you never 
mail excerpts of it off-system, then this is all far from critical. But since 
there is logwatch on RHEL, I think it's quite appropriate to address this issue.

Note that this patch *only* changes the logging behavior when the login name 
does not exist in the system passwd database. In that case, instead of

May 31 11:00:12 RHEL-3 sshd[10275]: Illegal user YourPassword from 10.2.3.4
May 31 11:00:17 RHEL-3 sshd[10275]: Failed password for illegal user 
YourPassword from 10.2.3.4 port 63377 ssh2

you get:

May 31 11:00:12 RHEL-3 sshd[10275]: Illegal user UNKNOWN from 10.2.3.4
May 31 11:00:17 RHEL-3 sshd[10275]: Failed password for illegal user UNKNOWN 
from 10.2.3.4 port 63377 ssh2

Existing /etc/passwd users get their name logged just the same as always. 
(Maybe I should be paranoid and worry about that too? Naa!)