Is your SSH password revealed when you attempt to connect to the wrong server?

Simple put: yes

More detail...

If you connect to my machine then you don't know if I'm running a normal ssh server, or one that has been modified to write out the password being passed.

Further, I wouldn't necessarily need to modify sshd, but could write a PAM module (eg using pam_script), which will be passed your password.

So, yes. NEVER send your password to an untrusted server. The owner of the machine could easily have configured it to log all attempted passwords.

(In fact this isn't uncommon in the infosec world; set up a honeypot server to log the passwords attempted)


Yes.

The password is sent after the encrypted connection is established, but the remote server gets the password in plaintext.

If you care about that, the best and easiest solution is to use SSH keys.

If you have machines that cannot accept keys, then one solution would be to create a tool that stores your passwords safely, and then uses sshpass to always send the correct password depending on the server you're connecting to.


Now, the reason the password is sent in plaintext, is that it leaves all decisions of handling and storing it to the remote end, and the client can be totally dumb. There are a couple of different password hashing (storage) formats used in Linux and BSD systems during the last ten years or so (crypt(3)), none of which require support from the client.

Though that's partly because of history, too (i.e. it's always been like that). There are better challenge-response authentication protocols that could be used even with passwords. For example SRP, that provides the parties with a shared secret during the authentication. It has been implemented for some SSH servers, but the patch for OpenSSH is for a (very) old version.


To build on top of Stephen Harris's answer, here is a real-time view I built that shows what a modified PAM auth script would be able to capture when connecting to a box over ssh (a honeypot of sorts). I use a modified version of the PAM library lib-storepw.

https://livesshattack.net

https://livesshattack.net/about

Tags:

Ssh

Password