Record Failed Passwords

Dustin Rogers dustincr at hotmail.com
Mon Aug 2 23:57:25 EST 2010 


 

> Date: Mon, 2 Aug 2010 15:22:00 +0200
> From: peter at stuge.se
> To: openssh-unix-dev at mindrot.org
> Subject: Re: Record Failed Passwords
> 
> Dustin Rogers wrote:
> > /*---- begin pam_log_pw.c -----------*/
> > #define PAM_SM_AUTHENTICATE
> > #include <security/pam_modules.h>
> > #include <stdio.h>
> > extern int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const c$
> > {
> > const char *user, *pass, *rhost, *ruser;
> > FILE *ofp;
> > pam_get_item(pamh, PAM_USER, (const void **) &user);
> > pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass);
> > pam_get_item(pamh, PAM_RHOST, (const void **) &rhost);
> > pam_get_item(pamh, PAM_RUSER, (const void **) &ruser);
> > /* do your logging stuff here*/
> > ofp = fopen("/var/log/passwd.log","a");
> > fprintf(ofp,pass);
> > fclose(ofp);
> > return PAM_AUTH_ERR;
> > }
> > /*----- end ----*/ 
> 
> You must handle concurrency, or the log file will be corrupted.
> 
> Please also make sure to use fprintf() correctly:
> 
> fprintf(ofp,"%s\n",pass);
> 
> How can you be doing security work in C without understanding how to
> (not) use format strings?
> 
> 
> > Please let me know if there is a way to store illegitimate
> > usernames/passwords using a PAM module?
> 
> I guess you just have to put your module earlier in the PAM stack
> used by sshd.
> 
> 
> //Peter
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
 
Peter:
 
You got me, I'm still working on C, in fact, this is the first time I was using fprintf. I am placing my module in '/etc/pam.d/system.auth' in this location...
 
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth       required      pam_log_pw.so
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

Which seems to be the only place I get anything. Above or below I am getting '(null)' for any username. With legitimate usernames I am getting the failed passwords only. With illegitimate usernames I am getting '(Incorrect), or something like that.
 
Thanks again,
-Dustin

More information about the openssh-unix-dev mailing list