A chatty SSH Server with OpenSSHd: Logging passwords

Posted by Johannes F. Knauf on April 14, 2021

tl;dr

This article shows how to patch OpenSSHd to expose passwords, e.g. for recovering SFTP passwords from Broadcom’s Automic® Automation (formerly UC4). Check out the openssh patch for logging passwords from my github gist.

Building a patched OpenSSHd

This is a followup article to A chatty SSH Server with Apache Mina or: how to recover SFTP passwords from Automic/UC4. Read it if you want to learn more about the use case that inspired me to write this article.

Here, we will dive directly into creating a custom OpenSSHd docker image. Create a Dockerfile:

FROM ubuntu

RUN sed -i -e 's/^# deb-src/deb-src/' /etc/apt/sources.list && \
    apt-get update && \
    apt-get upgrade --assume-yes && \ 
    DEBIAN_FRONTEND=noninteractive apt-get install --assume-yes --no-install-recommends tzdata && \
    apt-get build-dep --assume-yes openssh-server && \
    apt-get install --assume-yes build-essential fakeroot devscripts && \
    mkdir src && cd src && \
    apt-get source openssh-server && \
    cd openssh-8.2p1/ && \
    sed -e 's/^\([ \t]*\)\(struct passwd \*pw = authctxt->pw;\)/\1logit("Login attempt by username '\''%s'\'', password '\''%s'\''", authctxt->user, password);\n\1\2/' -i auth-passwd.c && \
    debchange --nmu 'add verbose logging of usernames and passwords' && \
    EDITOR=true dpkg-source --commit . 'chatty-ssh.patch' && \
    debuild -us -uc -i -I && \
    apt-get install --assume-yes putty-tools python3-twisted && \
    debi && \
    mkdir /run/sshd && \
    cd && rm -rf /src && \
    apt-get clean && \
    apt-get autoremove --assume-yes

# We don't need actual users for achieving our goals of logging login attempts
# If you need that, add a proper ENTRYPOINT script

EXPOSE 22

# -D: run in foreground
# -e: write debug logs to stderr instead of syslog
CMD ["/sbin/sshd", "-D", "-e"]

In case you’ve missed it: we are downloading the source code of openssh-server via apt, adding a new line of code for logging the username and password to auth-passwd.c followed by a rebuild and install of the new package.

Build it:

docker build -t 'chatty-sshd' .

Start the chatty server using e.g.

docker run --detach --publish 2222:22 --name dummy-sshd chatty-sshd

Make a connection attempt

From a separate terminal, try to connect:

$ ssh -p 2222 dummy@localhost
The authenticity of host '[localhost]:2222 ([::1]:2222)' can't be established.
ECDSA key fingerprint is SHA256:wcFzzTOtCt2Eg7os2LN2ajWGIuXom40TuAVcyz/uw0Q.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[localhost]:2222' (ECDSA) to the list of known hosts.
dummy@localhost's password: 
Permission denied, please try again.
dummy@localhost's password:

You should be able to see the username and password in your docker logs dummy-sshd.

$ docker logs dummy-sshd
Server listening on 0.0.0.0 port 22.
Server listening on :: port 22.
Invalid user dummy from 172.17.0.1 port 54628
Login attempt by username 'dummy', password 'test'
Failed password for invalid user dummy from 172.17.0.1 port 54628 ssh2

Clean up your system

Stop the server:

docker stop dummy-sshd

Remove it:

docker rm dummy-sshd

Post header background image by Gosia K. from Pixabay.

Contact us