[tpop3d-discuss] Logging bad passwords

Kevin Bonner keb at pa.net
Tue, 29 Apr 2003 22:09:38 -0400 

--------------Boundary-00=_2OW4A9FL2AZGOHQ5HDZ5
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

To provide our technical support personnel with more debugging informatio=
n, I=20
was asked to log bad username/password connections for POP connections. =20
Looking at 1.4.2 source, I didn't see a way to do this that was already d=
one. =20
- From what I can tell, the CVS head doesn't have this capability/feature=
 at=20
the moment either.

I decided to jump into the source and come up with a solution.  Attached =
is a=20
patch against the 1.4.2 source.  Applying this patch should (will) not af=
fect=20
anything.  To enable the logging, the config option 'log-auth-badpass' mu=
st=20
be set to yes|true.

I have tested this with the auth-pam and auth-mysql modules, but it shoul=
d=20
work for all of them.  Is this useful for anyone, or just me?  I can come=
 up=20
with a patch for the CVS head if it's desired.

Comments/questions welcome.

Enjoy,
Kevin Bonner
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+rzBi/9i/ml3OBYMRApT2AJ9vXYytCVWtmD4o8T2AXxt9w23lCwCdFKu1
NOipXqTEbs8d61pbkzhKkfE=3D
=3DrasM
-----END PGP SIGNATURE-----

--------------Boundary-00=_2OW4A9FL2AZGOHQ5HDZ5
Content-Type: text/x-diff;
  charset="us-ascii";
  name="log-auth-badpass.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="log-auth-badpass.patch"

diff -urN tpop3d-1.4.2.orig/cfgdirectives.c tpop3d-1.4.2/cfgdirectives.c
--- tpop3d-1.4.2.orig/cfgdirectives.c	2002-06-08 15:41:38.000000000 -0400
+++ tpop3d-1.4.2/cfgdirectives.c	2003-04-28 17:38:02.000000000 -0400
@@ -27,6 +27,7 @@
     "timeout-seconds",
     "log-facility",
     "log-stderr",
+    "log-auth-badpass",
     "apop-only",
     "mailbox",
     "no-detach",
Binary files tpop3d-1.4.2.orig/cfgdirectives.o and tpop3d-1.4.2/cfgdirectives.o differ
diff -urN tpop3d-1.4.2.orig/main.c tpop3d-1.4.2/main.c
--- tpop3d-1.4.2.orig/main.c	2002-06-25 16:28:00.000000000 -0400
+++ tpop3d-1.4.2/main.c	2003-04-28 17:33:20.000000000 -0400
@@ -60,6 +60,7 @@
 extern int append_domain;           /* Do we automatically try user@domain if user alone fails to authenticate? In pop3.c. */
 extern int strip_domain;            /* Do we automatically try user if user@domain fails to authenticate? */
 extern int apop_only;               /* Quit after receiving USER. */
+extern int log_auth_badpass;        /* Log the password of the failed auth attempt? */
 int log_stderr;                     /* Are log messages also sent to standard error? */
 int verbose;                        /* Should we be verbose about data going to/from the client? */
 int timeout_seconds = 30;           /* How long a period of inactivity may elapse before a client is dropped. */
@@ -720,6 +721,10 @@
     if (config_get_bool("apop-only"))
         apop_only = 1;
 
+    /* Log the password of the failed auth attempt? */
+    if (config_get_bool("log-auth-badpass"))
+        log_auth_badpass = 1;
+
     /* Find out how long we wait before timing out.... */
     switch (config_get_int("timeout-seconds", &timeout_seconds)) {
         case -1:
diff -urN tpop3d-1.4.2.orig/pop3.c tpop3d-1.4.2/pop3.c
--- tpop3d-1.4.2.orig/pop3.c	2002-06-25 16:28:00.000000000 -0400
+++ tpop3d-1.4.2/pop3.c	2003-04-28 17:20:10.000000000 -0400
@@ -35,6 +35,7 @@
 int append_domain;  /* Do we automatically try user@domain if user alone fails to authenticate? */
 int strip_domain;   /* Automatically try user if user@domain fails? */
 int apop_only;      /* Disconnect any client which says USER. */
+int log_auth_badpass; /* Log the password of the failed auth attempt? */
 
 enum connection_action connection_do(connection c, const pop3command p) {
     /* This breaks the RFC, but is sensible. */
@@ -251,7 +252,11 @@
 #else
                     connection_sendresponse(c, 0, _("Authentication failed."));
 #endif
-                    log_print(LOG_ERR, _("connection_do: client `%s': username `%s': %d authentication failures"), c->idstr, c->user, c->n_auth_tries);
+                    if (log_auth_badpass) {
+                        log_print(LOG_ERR, _("connection_do: client `%s': username `%s': password `%s': %d authentication failures"), c->idstr, c->user, c->pass, c->n_auth_tries);
+                    } else {
+                        log_print(LOG_ERR, _("connection_do: client `%s': username `%s': %d authentication failures"), c->idstr, c->user, c->n_auth_tries);
+                    }
                     act = do_nothing;
                 }
 

--------------Boundary-00=_2OW4A9FL2AZGOHQ5HDZ5--