pam_honeycreds.so is a pam module that watches for particular passwords being used in login attempts. Simply watching for 'wrong' passwords can generate a lot of noise, due to people mistyping their passwords. With pam_honeycreds an admin can leave fake password lists around on their network, and then get an alert if any of those passwords are ever used. It can also be used to monitor for bruteforcers using the top passwords, or for internal passwords being used by bruteforcers against internet-facing hosts. Finally it can syslog 'wrong' passwords, which means it can capture bruteforcers password lsits. Passwords can be stored in lists as plaintext, or as salted sha256 hashes.
1.618 Jun 2016 20:20
Support for sorted files is now added via the 'sfile' option. This allows use of very large password lists with lookups by binary search. Thus bruteforcing attempts can be detected by reference to large lists of 'common passwords' that can be found online.
1.527 Jan 2016 19:44
Now builds on 64-bit linux. Manpage extensively debugged.
1.426 Dec 2015 22:23
Fixes a segfault due to an uninitialized structure. This was making version 1.3 unusuable on most systems.
1.322 Dec 2015 12:39
Fixed segfault if no password obtained. Previous versions only ran scripts if the 'syslog' option was also set, now scripts are independant of syslog. Previous versions could only obtain passwords if linked against 'OpenPAM' or if a previous PAM module obtained and cached the passwords, this version handles the PAM conversation natively.
1.217 Oct 2015 11:21
Added host=, !host= and !user= config options (allows ignoring/selecting certain hosts). Cleaned up man page.
1.128 May 2015 18:39
Better syslog setup, and the default now is to allow login to continue, instead of deny, after the author forgot to specify 'allow' and locked himself out of one of his systems.
1.016 May 2015 17:47