Am 07.02.2002 13:54:15, schrieb Mark Ruth
my guesses: pam.d/sshd was changed when activating md5 passwords (>8 characters) ssh*_config were changed by myself ssh hmmm... as one can change file permissions (easy,local,secure), is it possible, that after an installation default permissions and groups are overriden by a script that sets the chosen values?
My guesses for ssh - you installed an update with rpm -i instead of of rpm -u or a script such as harden_suse changed attributes.
By the way - its ssh not sshd. An attacker would exchange the daemon to get in. are you sure?
He would _probably_ exchange the daemon or install a second one listening on a different port. In that case sshd is untouched. Why not modifying ssh to log passwords?
Ack - according to the honeypot doc - the link was in the last mail - you could examine ssh using 'strings ssh | less' 4 suspicous content and sniff network traffic when using ssh (loginin time) using tcpdump. Another fine idea could be to 'strace ssh' to seek a file that will contain the sniffed passwords. But, how i wrote, i script like harden_suse could change thoose attributes. Michael Appeldorn