pam_sniffpasswd generates a log of attempted usernames and passwords.  This
is arguably a very bad idea, as it includes not only failed passwords, but
any it is exposed to.  By manipulating the order and configuration of PAM
modules in PAM configuration files, it is possible to do more or less
sophisticated things.

Sample configuration entry:

# auth
auth            optional        pam_sniffpasswd.so      logfile=/etc/pwdlog
auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

The above sample sshd configuration file allows pam_sniffedpasswd to inspect
all passwords presented to PAM.  The module should be listed as optional, and
at the head of the chain in order to inspect all passwords.

If your sshd is not using PAM, this PAM file will not help.

In addition, an "excludeusers" argument may be used to exclude certain users
from password capture.  I.e.,

auth optional pam_sniffpasswd.so logfile=pwdlog excludeusers=root,rwatson

Some versions of OpenSSH's sshd include a change to resist timing attacks
against PAM by replacing passwords for non-existent users with a dummy
password.  It is unclear how this helps resist attacks, and interferes with
this PAM module.

This module may interact poorly with one time password services.

The results are stored in the indicated file, in a comma-delimited format.
Time stamps are in the local time zone of the system.  If the SSHd bug is
causing entries to be incorrectly blinded, the service field in the data file
will indicate that this has occurred.

