Record Failed Passwords

Christian Pfaffel-Janser christian.pfaffel-janser at
Wed Jul 21 17:46:02 EST 2010

Alan Neville wrote:
> Hi OpenSSH'ers,
> I am emailing you to ask is it possible to record failed passwords
> attempts and log them to syslog? Are there patches available for this?
> Has anyone managed to do this before? Are there alternitive methods?
> Many Thanks,
> A

Hi Alan,

use a pam module and put it in common-auth

auth    sufficient             nullok_secure
auth    required
auth    requisite             

Use something like (untestet)

---- begin pam_log_pw.c -----------
#include <security/pam_modules.h>

extern int pam_sm_authenticate(pam_handle_t *pamh,
			       int flags, int argc, const char ** argv) {
    const char *user, *pass, *rhost, *ruser;
    pam_get_item(pamh, PAM_USER, (const void **) &user);
    pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass);
    pam_get_item(pamh, PAM_RHOST, (const void **) &rhost);
    pam_get_item(pamh, PAM_RUSER, (const void **) &ruser);

    /* do your logging stuff here*/
    return PAM_AUTH_ERR;
----- end ----

compile using something like:

gcc -O2 -fPIC -Wall -pedantic -shared -lpam -o \

Best regards,


openssh-unix-dev mailing list
openssh-unix-dev at

Firma: Siemens Aktiengesellschaft Österreich
Rechtsform: Aktiengesellschaft
Firmensitz: Wien, Firmenbuchnummer: FN 60562 m
Firmenbuchgericht: Handelsgericht Wien, DVR: 0001708

More information about the openssh-unix-dev mailing list