I am using a laptop . I was thinking to have a support in my Ubuntu machine. When an incorrect password is entered, a picture is taken later revealing who has been trying to gain access.

I have searched around and the only thing I have found is stuff to do this on Macs. Is It possible to write a script for Ubuntu to do same .

If possible then what is a script or Software to make this happen.

2 Answers

^{Based on this post on the Ubuntuforums by BkkBonanza.}

This is an approach using PAM and will work for all failed login attempts. Using SSH, a virtual terminal or via the regular login screen, it doesn't matter as everything is handled by PAM in the end.

Install ffmpeg , we're going to use this as a command line way of grabbing the webcam images. Update: ffmpeg is removed when you upgrade to Ubuntu 14.04. We can use avconv in place of ffmpeg in the below script. No need to install anything separately.
Create a small script somewhere, e.g. /usr/local/bin/grabpicture with the following content:
```
 #!/bin/bash ts=`date +%s` ffmpeg -f video4linux2 -s vga -i /dev/video0 -vframes 3 /tmp/vid-$ts.%01d.jpg exit 0 #important - has to exit with status 0
```
Change the /dev/video0 with the actual video device of your webcam and choose a path where the pictures are being saved - I just choose /tmp. In the newer version of Ubuntu use avconv instead of ffmpeg (sudo apt-get install libav-tools).
Make it executable, e.g. chmod +x /usr/local/bin/grabpicture.
Test it, by just calling it: /usr/local/bin/grabpicture. Check if you see files appearing in /tmp/vid....jpg.
Configure PAM to call this on every failed attempt.
Note: do this carefully - if this fails you'll not be able to gain access to your system again in a regular way.
1. Open a terminal window with root access (sudo -i) and leave it open - just in case you screw up in the next steps.
2. Open /etc/pam.d/common-auth in your favourite editor, e.g. by doing gksudo gedit /etc/pam.d/common-auth. Keep in mind for the following steps that order of lines in this file matters.
3. Locate the line below. By default there's one line before the one with pam_deny.so. On my 12.04 system it looks like this:
```
 auth [success=1 default=ignore] pam_unix.so nullok_secure
```
4. In this line change the success=1 to success=2 to have it skip our script on success. This is an important step If you failed this step see below how to recover (***).
5. Right below there, add a new one to call the actual script:
```
 auth [default=ignore] pam_exec.so seteuid /usr/local/bin/grabpicture
```
6. Save and close the file. No need to restart anything.
Test it.
1. In a new terminal window, as regular user, try su -l username to log in as another user with username username (change with an actual one of course). Deliberately enter the wrong password. Check if this result in a new picture.
2. The same as above, but now enter the correct password. Check if you log in and it doesn't result in a picture being taken.
If the tests have succeeded you can log out from your DE (Unity/KDE/...) and you should see the same when entering a wrong password from the login screen.

(***) How to recover the system if you messed with /etc/pam.d/common-auth file:

Reboot the computer
At grub boot press "e" to edit
Add

init=/bin/sh

to the line starting by "linux"

Mount the system with write access

mount -o remount,rw /

Edit the file and fix

vi /etc/pam.d/common-auth

Explanation

One way that enables you to run a command when an incorrect password is entered, is to make use of the Authorization Log.

Authorization Log
The Authorization Log tracks usage of authorization systems, the mechanisms for authorizing users which prompt for user passwords, such as the Pluggable Authentication Module (PAM) system, the sudo command, remote logins to sshd and so on. The Authorization Log file may be accessed at /var/log/auth.log. This log is useful for learning about user logins and usage of the sudo command.
More here on LinuxLogFiles

On a failed login attempt, a record will be appended to the /var/log/auth.log file and the last line will contain something like:

pam_unix(gdm-password:auth): authentication failure;

If you constantly monitor the file for modification and check if the last line contains the keyword failure with for example grep failure then you know a failed login attempt has just occurred and you can run whatever command you want based on this action.

Solution

Change echo "failed login" in the scripts below to the command you wish to run upon a failed login.

You can monitor the last line of the /var/log/auth.log file with a script like this:

#!/bin/bash
while true
do sleep 1 if (( $(tail -1 /var/log/auth.log | grep failure | wc -l) == 1)) then echo "failed login" # Your command here fi
done

Or even better, you can install inotify-tools and use inotifywait to monitor the file instead of the sleep 1 and the script will be like this:

#!/bin/bash
while inotifywait -q -e modify /var/log/auth.log >/dev/null
do if (( $(tail -1 /var/log/auth.log | grep failure | wc -l) == 1)) then echo "failed login" # Your command here fi
done

inotify-tools can be installed with the following command:

sudo apt install inotify-tools

Implementation

To run this solution as a system service, please follow these steps:

Copy and paste the script code above ( without echo "failed login" as I added this line for debugging purposes only ) into a file in your home directory and name it TakePicture.sh and save the file.
Make the shell script file executable by running the following command in the terminal:

chmod +x ~/TakePicture.sh

Create and edit a custom systemd service to run the shell script at boot by running the following command in the terminal:

sudo nano /etc/systemd/system/TakePicture.service

Copy and paste the following code into the editor, replace USERNAME with your username and save it by pressing Ctrl + X then press Y then press Enter :

[Unit]
Description=Take Picture
[Service]
Type=oneshot
ExecStart=/home/USERNAME/TakePicture.sh
[Install]
WantedBy=multi-user.target

Start the service by running the following command in the terminal:

sudo systemctl start TakePicture

Enable the service by running the following command in the terminal:

sudo systemctl enable TakePicture

Notice:

The authorization Log will contain all sorts of failed logins or authentications ( ie. GDM, SSH, terminal user authentication, sudo, ... etc. ).

If your aim is just to activate the script when an actual physical login happens ( ie. someone is sitting infront of your computer, using your keyboard and looking at your screen ), then you need to change the above if statement to be like this:

if (( $(tail -1 /var/log/auth.log | grep gdm | grep failure | wc -l) == 1))

if GDM is your login manager. This way the script will only be triggered if an actual failed physical login happens.

2 Answers

Explanation

Solution

Implementation

Related Journals

What are the extra icons that sometimes show up on Okami HUD during combat?

How do I get a lower natural regeneration rate?

What are the different buffs of Titania's Tribute and their effects

How can I reduce congestion on the highway coming into the city?