CentOS

How can I record all login attempts from sshd with pamd with password? logsshp and logsshpwd will only record the passwords if an existing username has been entered.

No idea about the answer to your question but you are 3 whole years behind in updates on that box. Many of those are security related and need patching ASAP. The current CentOS 7 version is 7.7.1908 and you are on 7.3.1611 - i.e from November 2016. You need to yum update to get current. There are numerous high severity vulnerabilities in your version that have subsequently been patched. Some of those vulnerabilities are even remotely exploitable.

ok, now i am on

How about that shows all bad logins via ssh on CentoS6,7,8 on systems I've looked at.

And I am not sure I understand your original post but if you are trying to actually capture the passwords as they are entered, well, just don't. It's a stupid idea and one that will come back to bite you in the rear end.

I want to all tried wrong passwords record, to me a list of them to create. And from which IP the login came, to ban them. But the password sign in only works, when an existing user name entered. And /var/log/btmp shows so only the IP and the username.

And why it's a stupid idea and one that will come back to bite in my rear end?

So you're going to record all wrong password attempts. When you get your password wrong by one character due to a typo, now that password is available to anyone who can read your logs. And it's wrong by one character so whoever gets that now has a really good starting place in order to get the right one...

As a general point of security recording clear passwords is not a good idea as others have stated.

I would need to double check but I do believe that via syslog, logging auth.* and authpriv.* (or maybe just one of those) to /var/log/secure (if it's not getting done already) will show failed login attempts, the username and the source IP they are coming from.

If you are trying to block bad people from attempting to log in, that should be all you need since you'd be blocking either the source IP address of where they are logging in from or the specific user accounts they are attempting to use.

Perhaps the question that has yet to be answered... What does having their passwords do for you?

... and to see the failed logins (without passwords), see /var/log/secure.

I did know it was even possible to record the passwords entered in an ssh session. I suppose I could add code to the server and to openssl to do that but I am not even sure of that. Frankly, I've never even considered it. Seems to me adding such a thing seriously undermines the integrity of openssh and openssl. Or am I misunderstanding what is actually being requested?

Anyways, I log my ssh transactions to a separate log file. Insert these rules in /etc/rsyslogd.conf Be sure to add /var/log/sshd.log to the list of file to be rotated by logrotate -- I put it in /etc/logrotate.d/syslog.