Skip to content

Instantly share code, notes, and snippets.

@sjmurdoch
Created January 6, 2012 20:18
Show Gist options
  • Save sjmurdoch/1572229 to your computer and use it in GitHub Desktop.
Save sjmurdoch/1572229 to your computer and use it in GitHub Desktop.
Patch to FreeBSD OpenSSH to log username and password on log-in attempt to invalid user
Index: crypto/openssh/auth-pam.c
===================================================================
--- crypto/openssh/auth-pam.c (revision 229638)
+++ crypto/openssh/auth-pam.c (working copy)
@@ -809,6 +809,15 @@
return (-1);
}
+static void
+sshpam_log_invalid_user(const char *user, const char* pw, int kbdint)
+{
+ logit("PAM: %s/pam log-in attempt to invalid user %.100s: '%.100s'",
+ kbdint?"keyboard-interactive":"password",
+ user?user:"<unknown user>",
+ pw?pw:"<unknown password>");
+}
+
/* XXX - see also comment in auth-chall.c:verify_response */
static int
sshpam_respond(void *ctx, u_int num, char **resp)
@@ -835,8 +844,10 @@
(sshpam_authctxt->pw->pw_uid != 0 ||
options.permit_root_login == PERMIT_YES))
buffer_put_cstring(&buffer, *resp);
- else
+ else {
+ sshpam_log_invalid_user(sshpam_authctxt->user, *resp, 1);
buffer_put_cstring(&buffer, badpw);
+ }
if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
buffer_free(&buffer);
return (-1);
@@ -1196,8 +1207,10 @@
* information via timing (eg if the PAM config has a delay on fail).
*/
if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
- options.permit_root_login != PERMIT_YES))
+ options.permit_root_login != PERMIT_YES)) {
+ sshpam_log_invalid_user(authctxt->user, sshpam_password, 0);
sshpam_password = badpw;
+ }
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&passwd_conv);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment