/gist:1572229
Created Jan 6, 2012
Patch to FreeBSD OpenSSH to log username and password on log-in attempt to invalid user
| Index: crypto/openssh/auth-pam.c | |
| =================================================================== | |
| --- crypto/openssh/auth-pam.c (revision 229638) | |
| +++ crypto/openssh/auth-pam.c (working copy) | |
| @@ -809,6 +809,15 @@ | |
| return (-1); | |
| } | |
| +static void | |
| +sshpam_log_invalid_user(const char *user, const char* pw, int kbdint) | |
| +{ | |
| + logit("PAM: %s/pam log-in attempt to invalid user %.100s: '%.100s'", | |
| + kbdint?"keyboard-interactive":"password", | |
| + user?user:"<unknown user>", | |
| + pw?pw:"<unknown password>"); | |
| +} | |
| + | |
| /* XXX - see also comment in auth-chall.c:verify_response */ | |
| static int | |
| sshpam_respond(void *ctx, u_int num, char **resp) | |
| @@ -835,8 +844,10 @@ | |
| (sshpam_authctxt->pw->pw_uid != 0 || | |
| options.permit_root_login == PERMIT_YES)) | |
| buffer_put_cstring(&buffer, *resp); | |
| - else | |
| + else { | |
| + sshpam_log_invalid_user(sshpam_authctxt->user, *resp, 1); | |
| buffer_put_cstring(&buffer, badpw); | |
| + } | |
| if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) { | |
| buffer_free(&buffer); | |
| return (-1); | |
| @@ -1196,8 +1207,10 @@ | |
| * information via timing (eg if the PAM config has a delay on fail). | |
| */ | |
| if (!authctxt->valid || (authctxt->pw->pw_uid == 0 && | |
| - options.permit_root_login != PERMIT_YES)) | |
| + options.permit_root_login != PERMIT_YES)) { | |
| + sshpam_log_invalid_user(authctxt->user, sshpam_password, 0); | |
| sshpam_password = badpw; | |
| + } | |
| sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | |
| (const void *)&passwd_conv); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment