I asked a question on superuser about plink rejecting server keys. Someone previously asked about logs. Does the output I get from plink -sshlog contain any secret information I should not be sharing? When I look at the file it looks like a packet dump of the authentication process. I would assume no secrets are sent but aren't sure.
What is in the log and is there secret information that should not be made public?
From the PuTTY documentation at https://the.earth.li/~sgtatham/putty/0.73/htmldoc/Chapter4.html#config-logging we have the following (corresponding command line options added in [brackets]):
‘SSH packets’ [-sshlog]. In this mode (which is only used by SSH connections), the SSH message packets sent over the encrypted connection are written to the log file (as well as Event Log entries). You might need this to debug a network-level problem, or more likely to send to the PuTTY authors as part of a bug report. BE WARNED that if you log in using a password, the password can appear in the log file; see section 4.2.5 for options that may help to remove sensitive material from the log file before you send it to anyone else.
‘SSH packets and raw data’ [-sshrawlog]. In this mode, as well as the decrypted packets (as in the previous mode), the raw (encrypted, compressed, etc) packets are also logged. This could be useful to diagnose corruption in transit. (The same caveats as the previous mode apply, of course.)
Note that no cryptographic secrets are transmitted over the connection; only public keys for authentication and components of the selected symmetric key exchange algorithm (KexAlgorithms) which can be safely logged since they cannot be used by anyone listening in on the connection. Only password authentication appears to be compromised if the passwords are not redacted from these logs.
PuTTY provides options to perform this redaction as the logs are being created: ‘Omit known password fields’ and ‘Omit session data’, which are checkboxes one can use when setting up the session parameters in PuTTY prior to running plink. To use a saved session in plink, add the -load option to the command line followed by the name of the saved session.
Edited to add: This refers only to the credentials and keys associated with the SSH session itself. Applications using SSH as a transport mechanism (such as rsync, sftp, and scp) may have their own sensitive material logged; turning on "Omit session data" may help when troubleshooting an application, but should not be necessary if you are creating a session solely for troubleshooting purposes rather than launching the application.
