Did you ever tried to guess your friends password? Did you ever tried to login to your partners password protected computer? Sounds silly and childish but many are guilty of it. Most cases it’s no big deal but I am sure all of us would like to know who tried to guess our passwords and tried to login to our computers. Similarly, do you leave your laptop at work or with your friends? Do you trust your friends or partner or colleagues enough? Another silly questions. Let me get to the point … I actually came across this when I was trolling through my authentication logs. I had multiple authentication attempts to my Laptop and looking at the timestamp I knew that I wasn’t at home at that time. I was simply suspicious and decided to look around if there’s anyway I can find out who tried authenticating to my laptop. Of everything I found, I decided that I will try to capture a take picture of unauthorized user who was trying this.
I found this post in Ubuntu Forums (links below) and it uses PAM and will work for all failed login attempts. Using SSH, a virtual terminal or via the regular login screen, it doesn’t matter as everything is handled by PAM in the end.
First of all we need to install ffmpeg/avconv.
apt-get install libav-tools
Next we create a small script
/usr/local/bin/authsnapper with the following contents:
#!/bin/bash # Simple script to take picture after entering wrong password in Linux # # Requirements: # Install ffmpeg or avconv # apt-get install libav-tools # (at your option) any later version. # # blackMORE Ops <www.blackmoreops.com> ts=`date +%s` ffmpeg -f video4linux2 -s vga -i /dev/video0 -vframes 3 /tmp/vid-$ts.%01d.jpg exit 0 #important - has to exit with status 0
Depending on your Webcam (i.e. USB, built-in you might want to change the
/dev/video0 with the actual video device of your webcam. This script is using
/tmp folder as the image location, you can change that to anything to your liking. It also takes 3 pictures, you might want to change that if you like.
Now make this script executable
chmod +x /usr/local/bin/authsnapper
Before we go and do the next step, test this script, simply paste
/usr/local/bin/authsnapper in your terminal and it should take 3 pictures and save those in
If this works, then you can go and configure PAM to call this on every failed attempt. You might want to be careful doing this. If you make a mistake, you wont be able to login to your laptop or workstation anymore (or not in the usual ways, you need to break in).
Open a terminal window with root access (
sudo -s) and leave it open – just in case you screw up in the next steps.
Changing authentication in pam.d
/etc/pam.d/common-auth in your favorite editor,
Keep in mind for the following steps as the order of lines in this file matters. Find the following line:
auth [success=1 default=ignore] pam_unix.so nullok_secure
success=2 to have it skip our script on success. This is an important step. After this change, it should look like this:
auth [success=2 default=ignore] pam_unix.so nullok_secure
Add the following line to call this script right after it:
auth [default=ignore] pam_exec.so seteuid /usr/local/bin/authsnapper
Save and close the file. No need to restart anything.
In a new terminal window, as regular user, try
su -l testuser to log in as another user with username testuser. Deliberately enter the wrong password. Check if this result in a new picture. In you use Linux as root user as I do, you might want to create a new user for testing.
The same as above, but now enter the correct password. Check if you log in and it doesn’t result in a picture being taken. If the tests have succeeded you can log out from your Desktop environment. Try entering incorrect password and it should take 3 pictures.
I found this interesting and I guess it has its value to take picture of unauthorized user trying to access your Laptop… for example if you’re living in shared accommodation or dorm. But if you are good with programming and all, you might make it a full fledged software and publish in GIT. Just an idea but I think it’s a good one nevertheless.
Also, I am sure there’s better way of doing it, like instead of using
/etc/pam.d/common-auth, you can try it in
/etc/pam.d/lightdm or a number of other ways. I will leave that testing to you. But in any of the cases you get locked out of your Linux, here’s how to break into Linux.
BTW, if anyone is wondering who tried to access my Laptop, yah nah .. not telling you. Thanks again and enjoy.
Very good! It is very useful =)
But in Fedora I used /etc/pam.d/password-auth to get login fails in GDM
Sir work but capture image enter correct password not incorrect password
Sorry for my bad english
How to edit the pam module “common-auth” in OpenSuse13.1 in order to work the script
auth required pam_env.so
auth optional pam_gnome_keyring.so
auth required pam_unix.so try_first_pass
Thanks a lot for your attention and help