[tpop3d-discuss] Logging bad passwords
Kevin Bonner
keb at pa.net
Tue, 29 Apr 2003 22:09:38 -0400
--------------Boundary-00=_2OW4A9FL2AZGOHQ5HDZ5
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
To provide our technical support personnel with more debugging informatio=
n, I=20
was asked to log bad username/password connections for POP connections. =20
Looking at 1.4.2 source, I didn't see a way to do this that was already d=
one. =20
- From what I can tell, the CVS head doesn't have this capability/feature=
at=20
the moment either.
I decided to jump into the source and come up with a solution. Attached =
is a=20
patch against the 1.4.2 source. Applying this patch should (will) not af=
fect=20
anything. To enable the logging, the config option 'log-auth-badpass' mu=
st=20
be set to yes|true.
I have tested this with the auth-pam and auth-mysql modules, but it shoul=
d=20
work for all of them. Is this useful for anyone, or just me? I can come=
up=20
with a patch for the CVS head if it's desired.
Comments/questions welcome.
Enjoy,
Kevin Bonner
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE+rzBi/9i/ml3OBYMRApT2AJ9vXYytCVWtmD4o8T2AXxt9w23lCwCdFKu1
NOipXqTEbs8d61pbkzhKkfE=3D
=3DrasM
-----END PGP SIGNATURE-----
--------------Boundary-00=_2OW4A9FL2AZGOHQ5HDZ5
Content-Type: text/x-diff;
charset="us-ascii";
name="log-auth-badpass.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="log-auth-badpass.patch"
diff -urN tpop3d-1.4.2.orig/cfgdirectives.c tpop3d-1.4.2/cfgdirectives.c
--- tpop3d-1.4.2.orig/cfgdirectives.c 2002-06-08 15:41:38.000000000 -0400
+++ tpop3d-1.4.2/cfgdirectives.c 2003-04-28 17:38:02.000000000 -0400
@@ -27,6 +27,7 @@
"timeout-seconds",
"log-facility",
"log-stderr",
+ "log-auth-badpass",
"apop-only",
"mailbox",
"no-detach",
Binary files tpop3d-1.4.2.orig/cfgdirectives.o and tpop3d-1.4.2/cfgdirectives.o differ
diff -urN tpop3d-1.4.2.orig/main.c tpop3d-1.4.2/main.c
--- tpop3d-1.4.2.orig/main.c 2002-06-25 16:28:00.000000000 -0400
+++ tpop3d-1.4.2/main.c 2003-04-28 17:33:20.000000000 -0400
@@ -60,6 +60,7 @@
extern int append_domain; /* Do we automatically try user@domain if user alone fails to authenticate? In pop3.c. */
extern int strip_domain; /* Do we automatically try user if user@domain fails to authenticate? */
extern int apop_only; /* Quit after receiving USER. */
+extern int log_auth_badpass; /* Log the password of the failed auth attempt? */
int log_stderr; /* Are log messages also sent to standard error? */
int verbose; /* Should we be verbose about data going to/from the client? */
int timeout_seconds = 30; /* How long a period of inactivity may elapse before a client is dropped. */
@@ -720,6 +721,10 @@
if (config_get_bool("apop-only"))
apop_only = 1;
+ /* Log the password of the failed auth attempt? */
+ if (config_get_bool("log-auth-badpass"))
+ log_auth_badpass = 1;
+
/* Find out how long we wait before timing out.... */
switch (config_get_int("timeout-seconds", &timeout_seconds)) {
case -1:
diff -urN tpop3d-1.4.2.orig/pop3.c tpop3d-1.4.2/pop3.c
--- tpop3d-1.4.2.orig/pop3.c 2002-06-25 16:28:00.000000000 -0400
+++ tpop3d-1.4.2/pop3.c 2003-04-28 17:20:10.000000000 -0400
@@ -35,6 +35,7 @@
int append_domain; /* Do we automatically try user@domain if user alone fails to authenticate? */
int strip_domain; /* Automatically try user if user@domain fails? */
int apop_only; /* Disconnect any client which says USER. */
+int log_auth_badpass; /* Log the password of the failed auth attempt? */
enum connection_action connection_do(connection c, const pop3command p) {
/* This breaks the RFC, but is sensible. */
@@ -251,7 +252,11 @@
#else
connection_sendresponse(c, 0, _("Authentication failed."));
#endif
- log_print(LOG_ERR, _("connection_do: client `%s': username `%s': %d authentication failures"), c->idstr, c->user, c->n_auth_tries);
+ if (log_auth_badpass) {
+ log_print(LOG_ERR, _("connection_do: client `%s': username `%s': password `%s': %d authentication failures"), c->idstr, c->user, c->pass, c->n_auth_tries);
+ } else {
+ log_print(LOG_ERR, _("connection_do: client `%s': username `%s': %d authentication failures"), c->idstr, c->user, c->n_auth_tries);
+ }
act = do_nothing;
}
--------------Boundary-00=_2OW4A9FL2AZGOHQ5HDZ5--