Can I see passwords or hashes from failed logons in ssh?
I believe you can do this with strace against the ssh daemon. See this example / script. I think this will probably slow the ssh daemon down. It will show the actual password, not the hash.
The core of that example is (need to be root most likely):
strace -f -etrace=write -s 64 -p $ssh_pid 2>&1
My test with the above command where $ssh_pid is the pid of /usr/sbin/sshd:
ssh localhost
kbrandt@localhost's password:
Permission denied, please try again.
...
pid 14742] write(4, "\0\0\0\10foobazes"..., 12) = 12
I don't think this is possible, at least not without making a pam-module which does that for you. It sounds rather unethical too, so tread carefully. It might be ok for analyzing attacks, but grab the 'incorrect' password of a legitimate user, and you might have picked up a password he uses somewhere else.