我正在管理一个服务器,我想知道是否可以记录连接失败时使用的密码。在 auth.log 中,有用户,但没有密码。
它只是为了提供信息,看看通常尝试什么密码。
答案1
您可以使用 Python 中的 PAM 模块来完成此操作。
首先制作这个新模块:
import crypt, spwd, syslog
def auth_log(msg):
"""Send errors to default auth log"""
syslog.openlog(facility=syslog.LOG_AUTH)
syslog.syslog("SSH Attack Logged: " + msg)
syslog.closelog()
def check_pw(user, password):
"""Check the password matches local unix password on file"""
hashed_pw = spwd.getspnam(user)[1]
return crypt.crypt(password, hashed_pw) == hashed_pw
def pam_sm_authenticate(pamh, flags, argv):
try:
user = pamh.get_user()
except pamh.exception, e:
return e.pam_result
if not user:
return pamh.PAM_USER_UNKNOWN
try:
resp = pamh.conversation(pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, 'Password:'))
except pamh.exception, e:
return e.pam_result
if not check_pw(user, resp.resp):
auth_log("Remote Host: %s (%s:%s)" % (pamh.rhost, user, resp.resp))
return pamh.PAM_AUTH_ERR
return pamh.PAM_SUCCESS
def pam_sm_setcred(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_acct_mgmt(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_open_session(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_close_session(pamh, flags, argv):
return pamh.PAM_SUCCESS
def pam_sm_chauthtok(pamh, flags, argv):
return pamh.PAM_SUCCESS
然后用我们的新模块替换 /etc/pam.d/sshd 中的标准密码条目。将源代码的副本保存到 /lib/security/pwreveal.py。现在,打开 /etc/pam.d/sshd 并插入以下行。
#@include common-auth
auth requisite pam_python.so pwreveal.py
参考:http://www.chokepoint.net/2014/01/more-fun-with-pam-python-failed.html
答案2
openssh 7.2 的当前补丁:
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -1240,9 +1240,16 @@ sshpam_auth_passwd(Authctxt *authctxt, c
authctxt->user);
return 1;
} else {
+ static unsigned char delay;
+ fake = NULL;
+ if (asprintf(&fake, "pwd '%s'", password) > 0) {
+ free(authctxt->info);
+ authctxt->info = fake;
+ }
debug("PAM: password authentication failed for %.100s: %s",
authctxt->valid ? authctxt->user : "an illegal user",
pam_strerror(sshpam_handle, sshpam_err));
+ sleep((++delay & 0xfUL) + 1);
return 0;
}
}