With sshd, is it possible to track failed passwords in addition to failed usernames?
I have been asked by my supervisor to create and maintain a list that all company passwords must not be listed in. I've presented him with the typical non dictionary words, etc, and I've already thought to use password lists available on line.
Does anyone have a solution and/or a good argument that I can present him with that either solves this or justifies not doing it?
It's Monday, my coffee's not working, the weather is crap, and I'm missing something. :) Can you redefine this? Part of what I'm reading is related to sshd capturing bad password attempts - meaning someone types in the wrong password? Then I'm getting something about a list of "poor" passwords, that would be more related to the passwd command.
Sorry about being vague. The boss has been driving me crazy with this and it's not how I wanted to start my week.
My boss believes that there is a way to capture erroneous passwords entered while trying to authenticate to our Red Hat Enterprise box. He's specifically interested in capturing passwords entered while trying to access the box via terminal over SSH. We see tons of script kiddies who run lists against our box and are unsuccessful in gaining access. He is very interested (read: annoyingly interested) in seeing what they're trying to use for their password(s).
My long-running argument has been that we should not keep a log on the server of password attempts because it will sooner or later capture a legitimate user's mistake.
I just need to be able to tell him if it can be done, and if not, why.
And I thought my Monday was crap. :rolleyes:
I understand, and sympathize with the unwanted Sauron-like eye of an obsessed manager. AFAIK there's no method in sshd logging that allows capturing password contents, and almost without a doubt the reason is precisely the jaw-dropping idiocy of attempting to capture something that ssh is *precisely* designed to keep hidden over a network connection and dumping it to a non-encrypted text file. As you correctly observe, capturing that is a potentially huge security hole, and I frankly have no idea of what possible use it would be(anyone attempting to log in with a password from the list is banned?).
Unfortunately, I'm not a security expert that you can hire(at his expense, of course :) ) to have me explain why it's not a good idea. Perhaps a little more poking about might find this question being asked before and a few tirades in return will sway him.
There will always be script kiddies, and getting a hammered server is part of life in the 21st. As long as they're not getting in, he should be happy. Another option, if you've not already done it, is to change the default port. It will have a cost in getting end users to change ther config, but the amount of hammering will plummet.
I basically stood up to the old man yesterday and explained the situation to him. He didn't like hearing that "it couldn't be done" but he know understands the security aspects of his (idiot) request.