PAM

Support for security such as Firewalls and securing linux
fredvps
Posts: 61
Joined: 2014/03/13 22:05:19

PAM

Post by fredvps » 2016/03/17 01:34:28

Does anyone know if it's possible to record failed password attempts (in plan language)
I'd like to record the actual passwords that fail (pam auth fails) but I can't see a way to do it.

Thanks

aks
Posts: 3008
Joined: 2014/09/20 11:22:14

Re: PAM

Post by aks » 2016/03/17 17:04:17

AFAIK, not recording the actual passwords used (that probably would be a security violation), but you could use pam_tally to count failed logins and then do something based upon that.

fredvps
Posts: 61
Joined: 2014/03/13 22:05:19

Re: PAM

Post by fredvps » 2016/03/18 12:36:13

Thanks -
The counts of attempts are recorded in the logs anyway.

I see the inability to identify actual failed attempts as a security hazard not the other way around.
If you know what is being tried you can probably work out where the leak is that gave them the
idea they could get in in the first place. Passwords used on other web sites for example.

User avatar
TrevorH
Forum Moderator
Posts: 29120
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: PAM

Post by TrevorH » 2016/03/18 13:41:13

But if you go to logon as root and make a single letter typo in your password, now the nearly-right password is in the logs and you've given away 90% of your root password to anyone who cares to read it.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

fredvps
Posts: 61
Joined: 2014/03/13 22:05:19

Re: PAM

Post by fredvps » 2016/03/18 19:14:47

You mean anyone who already has full access to the server in order to get at the logs?
It's a bit late to worry by then.
Besides - you could always re-encrypt the log on the fly so it requres a password .
I don't see any downside to this.

Whoever
Posts: 1124
Joined: 2013/09/06 03:12:10

Re: PAM

Post by Whoever » 2016/03/19 05:57:19

As the admin of a system, you should NOT know your users' passwords.

fredvps
Posts: 61
Joined: 2014/03/13 22:05:19

Re: PAM

Post by fredvps » 2016/03/19 11:34:36

I agree.
But that is not what is being discussed.

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: PAM

Post by gerald_clark » 2016/03/19 15:39:01

Indeed it is.

User avatar
TrevorH
Forum Moderator
Posts: 29120
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: PAM

Post by TrevorH » 2016/03/19 16:58:29

There is a reason why passwords are encrypted even though they are also kept in a file that is readable only by root. What you are proposing to do is insecure and should not be done.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

fredvps
Posts: 61
Joined: 2014/03/13 22:05:19

Re: PAM

Post by fredvps » 2016/03/20 12:55:22

The reverse is true and implementation is now underway.

Websites collecting passwords for distribution to hackers and other agencies
will be capable of being exposed now.

As for encryption - any serious group knows that online encryption is not secure
by decree of the US government and can be broken with a little effort.

Online "encryption" only protects from the curious and the amateur; not the organised
hackers or criminal gangs.

If its security you want you should be shouting at the rooftops to get windows 10 and HTML5 outlawed.

Locked

Return to “CentOS 6 - Security Support”