pam_sniffpasswd generates a log of attempted usernames and passwords.  This
is arguably a very bad idea, as it includes not only failed passwords, but
any it is exposed to.  By manipulating the order and configuration of PAM
modules in PAM configuration files, it is possible to do more or less
sophisticated things.

Sample configuration entry:

# auth
auth            optional        pam_sniffpasswd.so      logfile=/etc/pwdlog
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

The above sample sshd configuration file allows pam_sniffedpasswd to inspect
all passwords presented to PAM.

If your sshd is not using PAM, this PAM file will not help.

This module may interact poorly with one time password services.

