how to logging correct password ?

[isafe]

Hi,I test it in debian,it's working. in centos, it's logging all password include wrong password.

[Cr4ckC4t]

Hey, thanks for the feedback. I will take a look into centos in the future. This might take some time though.

[Cr4ckC4t]

Okay @isafe , so tldr: it is possible to log only the correct passwords on CentOS but not without some sacrifices.

My test environment was a complete clean CentOS 8.4 (64bit) Server.

Preparations:

1. yum install pam-devel.x86_64
2. Cloning the repo
3. Compiling with additional flag -fPIC
4. Also, on CentOS the pam modules require 0755 access rights instead of 0644
5. Moving the pam_pwlog.so to /lib64/security

Version 1 - modifying password-auth

The /etc/pam.d/sshd only includes the password-auth file without running any verification itself. So when the pam_pwlog.so is put in there it get's executed with every login attempt regardless of whether it was successful. This approach would require version two.

The alternative is that we modify /etc/pam.d/password-auth.

Assuming we modify it manually, we'd want to look at the sufficient rule executing pam_unix.so. Basically, that's the module that checks the supplied password with the one stored. The rule is sufficient because if it succeded, than the password was correct and the user is authenticated - so the rest of the rules will be skipped. If it fails, then there the rules fallback to pam_sss.so (for SSSD, i.e. remote authentications).

Now, we could set the pam_unix.so rule to required and add our own rule below it and make it sufficient. And this works fine and logs only the valid password attempts but has one major disadvantage. If pam_unix.so fails, then this will also cause pam_sss.so to fail. And there is no easy way around this. So as soon as the server attempts to use SSO of some sort, every user authentication would fail.

Hence, this solution is quite dirty and should only be used in an environment where it's guaranteed that all users can be authenticated with pam_unix.so.

Version 2 - manual password check

The alternative to hooking into and modifying the default authentication process would be to do our own little password check. So assuming we add the pam_pwlog.so right after the password-auth rule in /etc/pam.d/sshd, we could extend our script by some logic to compare the supplied password with the one stored one from /etc/passwd or /etc/shadow. If it matches we log it, if not we drop it.

The first (minor) issue with this is, we won't capture SSO passwords with this, obviously. But let's assume only local user logins.

The code for the password check can be found on SO: https://stackoverflow.com/questions/17499163/how-to-check-password-in-linux-by-using-c-or-shell/63173069#63173069 . However, integrating this code into the script leads to another major problem. Although the pam script effectively runs as root, the security context of the script won't allow reading /etc/shadow from the code.

Now, the quick way around this would be to switch SELinux to permissive and allow the access to /etc/shadow. This can be achieved with setenforce 0. If we do this, everything works fine, we get only the correct passwords logged:

But again, it's a very ugly solution since we simply turn off the protection mechanisms. There are probably other ways to circumvent this but that would require you to dig down deeper into the whole process of PAM and SELinux.

So yes, it is practically possible to log only the correct passwords but with my surface knowledge of PAM there wasn't a really satisfying solution.