A minimalistic pluggable authentication modules (PAM) module that hooks into the linux authentication process to write the username, password and source host into a logfile. To learn more about what PAM is and how it works see [1]. The code is a modified version of this project [2]. Slight modifications for the use with other OS (versions) may be necessary.
The instructions are for Debian / Ubuntu. This also works on CentOS but requires some modifications, see my answer HERE.
- In order to build the module the
libpam-devlibrary is required.
# apt search libpam
[...]
libpam0g-dev/stable,now 1.3.1-5 amd64
Development files for PAM
[...]
# apt install libpam0g-dev
- After installing the necessary dev files run
make.
# make
cc -Wall -Wpedantic -c pam_pwlog.c -o pam_pwlog.o
ld --shared -o pam_pwlog.so pam_pwlog.o -lpam -lpam_misc
- Subsequently, update the file permissions to
0644and store the module in a place where PAM can find it, i.e./lib/security/or/lib/*/security/.
# chmod 0644 pam_pwlog.so && mv pam_pwlog.so /lib/security/
- Finally update the PAM configuration in
/etc/pam.d/common-authto monitor all authentications. Alternatively, only update the configuration file for the specific service that you intend to monitor (e.g./etc/pam.d/sshdforssh). Add the following line to enable the module. (Again, see [1] for details.)
auth optional pam_pwlog.so
Tinkering with PAM can easily break your entire authentication. Use at your own risk.
[1] https://doc.opensuse.org/documentation/leap/archive/42.2/security/html/book.security/cha.pam.html
[2] http://www.adeptus-mechanicus.com/codex/logsshp/logsshp.html