Record Failed Passwords

Christian Pfaffel-Janser christian.pfaffel-janser at siemens.com
Tue Aug 3 16:36:22 EST 2010


>  
> Hello Fellow SSHers:
>  
> I hope I am emailing this correctly. I implemented the shared object above...works pretty nice except AUTHTOK only takes the value of the passwords for legitimate users, is there a way to get the failed passwords for all users. I too am a graduate student, except at St. Cloud State University, looking at Brute-Force SSH attacks. I would also be using this as a honeypot on a non-production public IP address. Therefore, the illegitimate usernames/passwords would be of the most value.
>  
> Here is the shared object code from Christian as I modified it....
>  
> /*---- begin pam_log_pw.c -----------*/
> #define PAM_SM_AUTHENTICATE
> #include <security/pam_modules.h>
> #include <stdio.h>
> extern int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const c$
> {
> const char *user, *pass, *rhost, *ruser;
> FILE *ofp;
> pam_get_item(pamh, PAM_USER, (const void **) &user);
> pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass);
> pam_get_item(pamh, PAM_RHOST, (const void **) &rhost);
> pam_get_item(pamh, PAM_RUSER, (const void **) &ruser);
> /* do your logging stuff here*/
> ofp = fopen("/var/log/passwd.log","a");
> fprintf(ofp,pass);
> fclose(ofp);
> return PAM_AUTH_ERR;
> }
> /*----- end ----*/    
>  
>  
> Please let me know if there is a way to store illegitimate usernames/passwords using a PAM module?
>  
> Thank you for your time and code!
> -Dustin Rogers
> Student Network Admin
> Computer Network Research Center, SCSU
>  
>   		 	   		  
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
Hi Dustin,

You might want to add something like this and call it prior pam_get_item
Untested function for getting pw and login follows:

----------------------------------------------------

int get_login_or_pw(pam_handle_t * pamh, int login)
{
  int rc;
  char *p;
  struct pam_message msg[1], *pmsg[1];
  struct pam_response *resp;
  struct pam_conv *conv;

  pmsg[0] = &msg[0];
  msg[0].msg_style = login ? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF;
  msg[0].msg = login ? "Login: " : "Password: ";
  resp = NULL;

  rc = pam_get_item (pamh, PAM_CONV, (CONST_ARG void **) &conv);
  if (rc == PAM_SUCCESS)
      rc = conv->conv (1, (CONST_ARG struct pam_message **) pmsg,
		       	&resp, conv->appdata_ptr);
  else
      return rc;
  if (resp != NULL)
    {
      pam_set_item (pamh, login ? PAM_USER : PAM_AUTHTOK, resp[0].resp);
      resp[0].resp = NULL; /* watch out: don't free resp, it is stored 		
		in pamh */
      free (resp);
    }
  else
    {
      return PAM_CONV_ERR;
    }
  return PAM_SUCCESS;
}

-------------------------------------------------------------------

Hth

Christian



-- 
Firma: Siemens Aktiengesellschaft Österreich
Rechtsform: Aktiengesellschaft
Firmensitz: Wien, Firmenbuchnummer: FN 60562 m
Firmenbuchgericht: Handelsgericht Wien, DVR: 0001708



More information about the openssh-unix-dev mailing list