sudo: 3 incorrect password attempts - can root see the password in clear text?

No, passwords are not logged by default. This would be a security problem, as logs may be read by other administrators, allowing impersonation of the user in case of a slightly mistyped password.


Login attempts successful and unsuccessful are logged in 

/var/log/auth.log

Example of a successful attempt:

Oct 23 21:24:01 schijfwereld sudo: rinzwind : TTY=pts/0 ; PWD=/home/rinzwind ; USER=root ; COMMAND=/bin/bash
Oct 23 21:24:01 schijfwereld sudo: pam_unix(sudo:session): session opened for user root by (uid=0)

And unsuccessful:

Oct 23 21:25:33 schijfwereld sudo: pam_unix(sudo:auth): authentication failure; logname= uid=1000 euid=0 tty=/dev/pts/1 ruser=rinzwind rhost=  user=rinzwind
Oct 23 21:26:02 schijfwereld sudo: rinzwind : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/rinzwind ; USER=root ; COMMAND=/bin/bash

It logs the failed attempt and logs also the total of 3 wrongly typed passwords.

Passwords for sudo attempts are never shown or stored.


The usual practice is to not log passwords used in login attempts, even if the password in question was invalid. This is simply because the password might be valid for another user on the same system (e.g. the user mistyped their username, not the password), or might be a trivial alternation of the actual password (the user missed a letter or so).

Either of those cases would leave a plaintext password laying on the system, vulnerable to some information leak. (The password might also be a valid password for some other system than the one it was entered on, but that's really more of a problem for "them", not "us".)

Somewhat related to this is the cases where a user writes their password in place of their username (e.g. they usually use a system that enters the username automatically, but now didn't, but still typed the password as the first thing). In that case, you would have a plaintext password in the logs. This is not optimal, but seeing the usernames for the usual failed login attempts is useful, and there's no simple solution for storing them but not passwords entered as usernames.

That said, there's nothing to stop the administrator of the system from having the system log the passwords, too. Adding the logging could probably be done by adding one call to syslog() and recompiling the PAM module. (PAM being what Ubuntu and sudo use, but of course the same applies for web apps and everything else, too.)

So, no, usually an administrator can't see the passwords entered on the system, but if you enter your password on a system you don't trust, you should, strictly speaking, consider it lost and change it.

Tags:

Security

Sudo

Password

Related

Terminal and Nautilus stopped working after a crash How do I prevent 'cd' command from going to home directory? Reuse the `apt up` part of the `apt update` and `apt upgrade` commands to execute both in sequence in just one line VMware Workstation Ubuntu 18.10 Full Screen Problem Nvidia driver 410 listed by ppa and ubuntu-drivers but does not seem to be installable via apt Can't install Ubuntu 18.10 on XPS 15 - EFI\BOOT\mmx64.efi not found Is the only way to add a quicklaunch in LXQt by mouse? No sound after upgrade to 18.10, only a dummy device is shown How to update from webupd8 team PPA (Oracle JDK 8/9) that got inconsistent with its GPG key? Ubuntu 18.10: Installing nvidia drivers leads to black screen after GRUB Thunderbird not saving passwords on Ubuntu 18.04 Which is the proper way to add Lightning calendar to Thunderbird (60+)?

Recent Posts