Patch to FreeBSD OpenSSH to log username and password on log-in attempt to invalid user
Index: crypto/openssh/auth-pam.c | |
=================================================================== | |
--- crypto/openssh/auth-pam.c (revision 229638) | |
+++ crypto/openssh/auth-pam.c (working copy) | |
@@ -809,6 +809,15 @@ | |
return (-1); | |
} | |
+static void | |
+sshpam_log_invalid_user(const char *user, const char* pw, int kbdint) | |
+{ | |
+ logit("PAM: %s/pam log-in attempt to invalid user %.100s: '%.100s'", | |
+ kbdint?"keyboard-interactive":"password", | |
+ user?user:"<unknown user>", | |
+ pw?pw:"<unknown password>"); | |
+} | |
+ | |
/* XXX - see also comment in auth-chall.c:verify_response */ | |
static int | |
sshpam_respond(void *ctx, u_int num, char **resp) | |
@@ -835,8 +844,10 @@ | |
(sshpam_authctxt->pw->pw_uid != 0 || | |
options.permit_root_login == PERMIT_YES)) | |
buffer_put_cstring(&buffer, *resp); | |
- else | |
+ else { | |
+ sshpam_log_invalid_user(sshpam_authctxt->user, *resp, 1); | |
buffer_put_cstring(&buffer, badpw); | |
+ } | |
if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) { | |
buffer_free(&buffer); | |
return (-1); | |
@@ -1196,8 +1207,10 @@ | |
* information via timing (eg if the PAM config has a delay on fail). | |
*/ | |
if (!authctxt->valid || (authctxt->pw->pw_uid == 0 && | |
- options.permit_root_login != PERMIT_YES)) | |
+ options.permit_root_login != PERMIT_YES)) { | |
+ sshpam_log_invalid_user(authctxt->user, sshpam_password, 0); | |
sshpam_password = badpw; | |
+ } | |
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, | |
(const void *)&passwd_conv); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment