A year ago we released our PAM steal module.
It's easiest and safest way to steal passwords and local privilege escalation.
Basically it catch passwords from sudo/su and local services which used PAM.
But not SSH daemon by default.
The fact that it uses the challenge-response authentication scheme. In this case password will be used to generate response (hash) on client side. And will not be going to server.
To fix this "issue" you can edit sshd.conf to disable
That's all. Now all passwords from SSH will be logged as well as $su typed passwords.
NOTICE! Please, use key-based auth anytime and sudo!
It's easiest and safest way to steal passwords and local privilege escalation.
Basically it catch passwords from sudo/su and local services which used PAM.
But not SSH daemon by default.
The fact that it uses the challenge-response authentication scheme. In this case password will be used to generate response (hash) on client side. And will not be going to server.
To fix this "issue" you can edit sshd.conf to disable
ChallengeResponseAuthenticationhttps://www.freebsd.org/cgi/man.cgi?query=sshd_config&sektion=5
Specifies whether challenge-response authentication is allowed
(e.g. via PAM or though authentication styles supported in
login.conf(5)) The default is ``yes''.
That's all. Now all passwords from SSH will be logged as well as $su typed passwords.
NOTICE! Please, use key-based auth anytime and sudo!