Skip to content

Instantly share code, notes, and snippets.

@resilar
Last active November 27, 2018 13:51
Show Gist options
  • Save resilar/1030f56df1bf7da0d1b1b327d204c5de to your computer and use it in GitHub Desktop.
Save resilar/1030f56df1bf7da0d1b1b327d204c5de to your computer and use it in GitHub Desktop.
PAM module to log bad SSH passwords (for non-/home/ users only)
/*
* pam_badlog.c
*
* $ gcc -fPIC -fno-stack-protector -c pam_badlog.c
* $ sudo ld -x --shared -o /lib/security/pam_badlog.so pam_badlog.o
* $ rm pam_badlog.o
*
* then add "auth required pam_badlog.so" in the beginning of /etc/pam.d/sshd
*
* $ /etc/init.d/sshd restart
*/
#include <pwd.h>
#include <security/pam_ext.h>
#include <security/pam_modules.h>
#include <stdio.h>
#include <string.h>
#include <time.h>
static void badlog(const char *user, const char *pass, const char *host)
{
struct passwd *pw = getpwnam(user);
if (pw && memcmp(pw->pw_dir, "/home/", 6)) {
FILE *log = fopen("/var/log/badlog", "a");
if (log) {
fprintf(log, "%lu\t%s:%s\t%s\n",
(unsigned long)time(NULL), user, pass, host);
fclose(log);
}
}
}
PAM_EXTERN
int pam_sm_authenticate(pam_handle_t *pamh, int flags,
int argc, const char **argv)
{
const char *user, *pass, *host;
int err = 0;
err |= pam_get_item(pamh, PAM_USER, (const void **)&user);
err |= pam_get_authtok(pamh, PAM_AUTHTOK, &pass, NULL);
err |= pam_get_item(pamh, PAM_RHOST, (const void **)&host);
if (err == PAM_SUCCESS && user && pass && host)
badlog(user, pass, host);
return PAM_SUCCESS;
}
PAM_EXTERN
int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
return PAM_SUCCESS;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment