Record Failed Passwords
Christian Pfaffel-Janser
christian.pfaffel-janser at siemens.com
Tue Aug 3 16:36:22 EST 2010
>
> Hello Fellow SSHers:
>
> I hope I am emailing this correctly. I implemented the shared object above...works pretty nice except AUTHTOK only takes the value of the passwords for legitimate users, is there a way to get the failed passwords for all users. I too am a graduate student, except at St. Cloud State University, looking at Brute-Force SSH attacks. I would also be using this as a honeypot on a non-production public IP address. Therefore, the illegitimate usernames/passwords would be of the most value.
>
> Here is the shared object code from Christian as I modified it....
>
> /*---- begin pam_log_pw.c -----------*/
> #define PAM_SM_AUTHENTICATE
> #include <security/pam_modules.h>
> #include <stdio.h>
> extern int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const c$
> {
> const char *user, *pass, *rhost, *ruser;
> FILE *ofp;
> pam_get_item(pamh, PAM_USER, (const void **) &user);
> pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass);
> pam_get_item(pamh, PAM_RHOST, (const void **) &rhost);
> pam_get_item(pamh, PAM_RUSER, (const void **) &ruser);
> /* do your logging stuff here*/
> ofp = fopen("/var/log/passwd.log","a");
> fprintf(ofp,pass);
> fclose(ofp);
> return PAM_AUTH_ERR;
> }
> /*----- end ----*/
>
>
> Please let me know if there is a way to store illegitimate usernames/passwords using a PAM module?
>
> Thank you for your time and code!
> -Dustin Rogers
> Student Network Admin
> Computer Network Research Center, SCSU
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
Hi Dustin,
You might want to add something like this and call it prior pam_get_item
Untested function for getting pw and login follows:
----------------------------------------------------
int get_login_or_pw(pam_handle_t * pamh, int login)
{
int rc;
char *p;
struct pam_message msg[1], *pmsg[1];
struct pam_response *resp;
struct pam_conv *conv;
pmsg[0] = &msg[0];
msg[0].msg_style = login ? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF;
msg[0].msg = login ? "Login: " : "Password: ";
resp = NULL;
rc = pam_get_item (pamh, PAM_CONV, (CONST_ARG void **) &conv);
if (rc == PAM_SUCCESS)
rc = conv->conv (1, (CONST_ARG struct pam_message **) pmsg,
&resp, conv->appdata_ptr);
else
return rc;
if (resp != NULL)
{
pam_set_item (pamh, login ? PAM_USER : PAM_AUTHTOK, resp[0].resp);
resp[0].resp = NULL; /* watch out: don't free resp, it is stored
in pamh */
free (resp);
}
else
{
return PAM_CONV_ERR;
}
return PAM_SUCCESS;
}
-------------------------------------------------------------------
Hth
Christian
--
Firma: Siemens Aktiengesellschaft Österreich
Rechtsform: Aktiengesellschaft
Firmensitz: Wien, Firmenbuchnummer: FN 60562 m
Firmenbuchgericht: Handelsgericht Wien, DVR: 0001708
More information about the openssh-unix-dev
mailing list