PAM module to log bad SSH passwords (for non-/home/ users only)

pam_badlog.c

/*
 * pam_badlog.c
 *
 * $ gcc -fPIC -fno-stack-protector -c pam_badlog.c
 * $ sudo ld -x --shared -o /lib/security/pam_badlog.so pam_badlog.o
 * $ rm pam_badlog.o
 *
 * then add "auth required pam_badlog.so" in the beginning of /etc/pam.d/sshd
 *
 * $ /etc/init.d/sshd restart
 */

#include <pwd.h>
#include <security/pam_ext.h>
#include <security/pam_modules.h>
#include <stdio.h>
#include <string.h>
#include <time.h>

static void badlog(const char *user, const char *pass, const char *host)
{
	struct passwd *pw = getpwnam(user);
	if (pw && memcmp(pw->pw_dir, "/home/", 6)) {
		FILE *log = fopen("/var/log/badlog", "a");
		if (log) {
			fprintf(log, "%lu\t%s:%s\t%s\n",
				(unsigned long)time(NULL), user, pass, host);
			fclose(log);
		}
	}
}

PAM_EXTERN
int pam_sm_authenticate(pam_handle_t *pamh, int flags,
			int argc, const char **argv)
{
	const char *user, *pass, *host;
	int err = 0;
	err |= pam_get_item(pamh, PAM_USER, (const void **)&user);
	err |= pam_get_authtok(pamh, PAM_AUTHTOK, &pass, NULL);
	err |= pam_get_item(pamh, PAM_RHOST, (const void **)&host);
	if (err == PAM_SUCCESS && user && pass && host)
		badlog(user, pass, host);
	return PAM_SUCCESS;
}

PAM_EXTERN
int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
	return PAM_SUCCESS;
}