Record Failed Passwords

Robert Banz rob at
Wed Jul 21 07:45:14 EST 2010

This is probably a *really bad idea*(tm).

In logging failed passwords, you're opening up the potential to expose the
secrets of valid users. Many people innocently type the wrong password for
an account (like, their bank password instead of the one for your server),
or simply miss a character, or maybe just tried to log in with the wrong
account name and their real password.

The UNIX authentication stack is built so that even the administrator of a
machine has to jump through hoops to expose someone's password (like you're
suggesting doing here), please don't go down this road.

(back in the 'telnet' days, we used to consider it "bad" to log failed
usernames on login, since folks very regularly would type their password at
the wrong prompt -- then follow it up with a correct login from the same IP
-- making it obvious to collect passwords)

On Tue, Jul 20, 2010 at 2:03 PM, Keisial <keisial at> wrote:

>  Bob Proulx wrote:
> > Alan Neville wrote:
> >> I am emailing you to ask is it possible to record failed passwords
> >> attempts and log them to syslog? Are there patches available for this?
> >> Has anyone managed to do this before? Are there alternitive methods?
> > My logs are always filled with cracking attempts to log in but failing
> > the password.  The past couple of months the distributed attacks have
> > increased significantly.  I currently have around 2,000 IP addresses
> > attacking from a distributed attack engine.  (No chance of succeeding
> > however.)
> >
> >   Jul 18 07:01:26 joseki sshd[21461]: error: PAM: User not known to the
> underlying authentication module for illegal user kate from
> >   Jul 18 07:01:26 joseki sshd[21461]: Failed keyboard-interactive/pam for
> invalid user kate from port 16602 ssh2
> >
> > I don't know what system you are using and you did not say.  On a
> > Debian Stable system the above is normal output on a standard
> > installation without additional user patches.  What you are asking for
> > seems to already be available.
> >
> > Bob
> I think he wants the actual passwords, Bob.
> There are some patches for that, Alan, but AFAIK they work only with the
> traditional passwd, not with PAM.
> It could be logged with a PAM module I think, but don't know of an existing
> one.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

More information about the openssh-unix-dev mailing list