Record Failed Passwords

Dan Kaminsky dan at doxpara.com
Wed Jul 21 10:48:09 EST 2010


Alan,

   The plaintext password is received from the wire as a null terminated
string in auth2-passwd.c:userauth_passwd (without privsep) or
Monitor.c:mm_answer_authpasswd (with privsep).  If authenticated returns
false, then syslog passwd.  That should work!

   (Again, this is only a good idea for a honeypot.)



On Tue, Jul 20, 2010 at 8:07 PM, Alan Neville <neville.alan at gmail.com>wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On 20/07/2010 23:10, Bob Proulx wrote:
> > Keisial wrote:
> >>  Bob Proulx wrote:
> >>> Alan Neville wrote:
> >>>> I am emailing you to ask is it possible to record failed passwords
> >>>> attempts and log them to syslog? Are there patches available for this?
> >>
> >>> My logs are always filled with cracking attempts to log in but failing
> >>> the password.  The past couple of months the distributed attacks have
> >>
> >> I think he wants the actual passwords, Bob.
> >
> > Oh!  When I read "record failed passwords attempts" I read it as
> > "record failed password attempts".  No matter what I think the grammer
> > there is a little ambiguous.  And logging actual passwords isn't
> > normally good since normally user passwords shouldn't be stored.  But
> > I understand that if you are setting up a honeypot or studying attacks
> > then it is one way to observe the cracking behavior.
>
> Indeed this is a honeypot. Can anyone provide information on where such
> patches are available?
>
> >
> > Bob
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
> - --
>
> Alan Neville,
> Postgraduate Education Officer,
> DCU Students' Union 2009/2010,
> BS.c Computer Applications DCU (Completed)
> MS.c Security and Forensics DCU (Attending)
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJMRjpXAAoJEJ1FG8f8UuluR8kIAJAqHfrENE9kKbTZ8ON7GwkW
> TjE+JS1ThrJeXK8wgloZVp8CcvmGghLlz2MunYqVeXtzyq7TMSXXMZNT2RQXk7Wc
> i/A47PTW6PPAGv96x+UldG9cbUetHdekEgEKpj9ZBKesSAQ8TlAwISKVUdEgbxwS
> f/iNJtW+lw/HTbOUOkG5bcUQwAqunaMYDL7iD8h/wWZ3l89Rx2cF9vaiCpw8YJr1
> Eri/045XLWmVITrIoVFHpqvP2KtWLUjwGQwX1VR/eFJcgnzdjhOlaaRMSv01Vci9
> NTcZn0ju6qDSvg1wOGBPdzOJXQgJ5d7wcGcYUtOz0QPDEdad9Dh+cCd/xmXWl+k=
> =22SH
> -----END PGP SIGNATURE-----
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


More information about the openssh-unix-dev mailing list