Can I see passwords or hashes from failed logons in ssh?

ssh security password

I believe you can do this with strace against the ssh daemon. See this example / script. I think this will probably slow the ssh daemon down. It will show the actual password, not the hash.

The core of that example is (need to be root most likely):

strace -f -etrace=write -s 64 -p $ssh_pid 2>&1

My test with the above command where $ssh_pid is the pid of /usr/sbin/sshd:

ssh localhost
kbrandt@localhost's password: 
Permission denied, please try again.
...
pid 14742] write(4, "\0\0\0\10foobazes"..., 12) = 12

I don't think this is possible, at least not without making a pam-module which does that for you. It sounds rather unethical too, so tread carefully. It might be ok for analyzing attacks, but grab the 'incorrect' password of a legitimate user, and you might have picked up a password he uses somewhere else.

Related

Cron job creating empty file each time it runs
Ubuntu 10.04 Server on Hyper-V Server R2 has sluggish install and command line
Am I looking at the console when I use remote desktop?
What equipment do real ISP's use? [closed]
how do I make solaris shell more familiar for a linux user? [closed]
How to properly nest a wireless router behind a wired router? [closed]
How can I completely delete the contents of my old VPS?
What is the difference between "turn off" and "shut down" in Windows 7 version of Virtual PC?
Anyone have a Powershell script to look up the MX record for a domain?
Ubuntu 10.4 Full Disk Encryption
How can I message intranet users to refrain from using client apps?
How to I use Vim's increment (Control-a) when in a screen session?