diff options
| author | Damien Miller <djm@mindrot.org> | 2013-07-18 16:10:09 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2013-07-18 16:10:09 +1000 |
| commit | 20bdcd72365e8b3d51261993928cc47c5f0d7c8a (patch) | |
| tree | db4f44ba0f86b271a9493ce0d866941f0ac5a953 | |
| parent | 3071070b39e6d1722151c754cdc2b26640eaf45e (diff) | |
- djm@cvs.openbsd.org 2013/06/21 00:34:49
[auth-rsa.c auth.h auth2-hostbased.c auth2-pubkey.c monitor.c]
for hostbased authentication, print the client host and user on
the auth success/failure line; bz#2064, ok dtucker@
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | auth-rsa.c | 4 | ||||
| -rw-r--r-- | auth.h | 5 | ||||
| -rw-r--r-- | auth2-hostbased.c | 6 | ||||
| -rw-r--r-- | auth2-pubkey.c | 28 | ||||
| -rw-r--r-- | monitor.c | 7 |
6 files changed, 40 insertions, 14 deletions
| @@ -12,6 +12,10 @@ | |||
| 12 | - markus@cvs.openbsd.org 2013/06/20 19:15:06 | 12 | - markus@cvs.openbsd.org 2013/06/20 19:15:06 |
| 13 | [krl.c] | 13 | [krl.c] |
| 14 | don't leak the rdata blob on errors; ok djm@ | 14 | don't leak the rdata blob on errors; ok djm@ |
| 15 | - djm@cvs.openbsd.org 2013/06/21 00:34:49 | ||
| 16 | [auth-rsa.c auth.h auth2-hostbased.c auth2-pubkey.c monitor.c] | ||
| 17 | for hostbased authentication, print the client host and user on | ||
| 18 | the auth success/failure line; bz#2064, ok dtucker@ | ||
| 15 | 19 | ||
| 16 | 20130702 | 20 | 20130702 |
| 17 | - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config | 21 | - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config |
diff --git a/auth-rsa.c b/auth-rsa.c index 92f0ad75c..b7a03fdc4 100644 --- a/auth-rsa.c +++ b/auth-rsa.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth-rsa.c,v 1.83 2013/05/19 02:42:42 djm Exp $ */ | 1 | /* $OpenBSD: auth-rsa.c,v 1.84 2013/06/21 00:34:49 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -332,7 +332,7 @@ auth_rsa(Authctxt *authctxt, BIGNUM *client_n) | |||
| 332 | * options; this will be reset if the options cause the | 332 | * options; this will be reset if the options cause the |
| 333 | * authentication to be rejected. | 333 | * authentication to be rejected. |
| 334 | */ | 334 | */ |
| 335 | pubkey_auth_info(authctxt, key); | 335 | pubkey_auth_info(authctxt, key, NULL); |
| 336 | 336 | ||
| 337 | packet_send_debug("RSA authentication accepted."); | 337 | packet_send_debug("RSA authentication accepted."); |
| 338 | return (1); | 338 | return (1); |
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth.h,v 1.74 2013/05/19 02:42:42 djm Exp $ */ | 1 | /* $OpenBSD: auth.h,v 1.75 2013/06/21 00:34:49 djm Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| @@ -122,7 +122,8 @@ int auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **); | |||
| 122 | int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); | 122 | int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); |
| 123 | int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); | 123 | int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); |
| 124 | int user_key_allowed(struct passwd *, Key *); | 124 | int user_key_allowed(struct passwd *, Key *); |
| 125 | void pubkey_auth_info(Authctxt *, const Key *); | 125 | void pubkey_auth_info(Authctxt *, const Key *, const char *, ...) |
| 126 | __attribute__((__format__ (printf, 3, 4))); | ||
| 126 | 127 | ||
| 127 | struct stat; | 128 | struct stat; |
| 128 | int auth_secure_path(const char *, struct stat *, const char *, uid_t, | 129 | int auth_secure_path(const char *, struct stat *, const char *, uid_t, |
diff --git a/auth2-hostbased.c b/auth2-hostbased.c index e6d05e261..a344dcc1f 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth2-hostbased.c,v 1.15 2013/05/17 00:13:13 djm Exp $ */ | 1 | /* $OpenBSD: auth2-hostbased.c,v 1.16 2013/06/21 00:34:49 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -116,6 +116,10 @@ userauth_hostbased(Authctxt *authctxt) | |||
| 116 | #ifdef DEBUG_PK | 116 | #ifdef DEBUG_PK |
| 117 | buffer_dump(&b); | 117 | buffer_dump(&b); |
| 118 | #endif | 118 | #endif |
| 119 | |||
| 120 | pubkey_auth_info(authctxt, key, | ||
| 121 | "client user \"%.100s\", client host \"%.100s\"", cuser, chost); | ||
| 122 | |||
| 119 | /* test for allowed key and correct signature */ | 123 | /* test for allowed key and correct signature */ |
| 120 | authenticated = 0; | 124 | authenticated = 0; |
| 121 | if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && | 125 | if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && |
diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 45306f839..2b3ecb104 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth2-pubkey.c,v 1.37 2013/05/19 02:38:28 djm Exp $ */ | 1 | /* $OpenBSD: auth2-pubkey.c,v 1.38 2013/06/21 00:34:49 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -147,7 +147,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
| 147 | #ifdef DEBUG_PK | 147 | #ifdef DEBUG_PK |
| 148 | buffer_dump(&b); | 148 | buffer_dump(&b); |
| 149 | #endif | 149 | #endif |
| 150 | pubkey_auth_info(authctxt, key); | 150 | pubkey_auth_info(authctxt, key, NULL); |
| 151 | 151 | ||
| 152 | /* test for correct signature */ | 152 | /* test for correct signature */ |
| 153 | authenticated = 0; | 153 | authenticated = 0; |
| @@ -190,23 +190,37 @@ done: | |||
| 190 | } | 190 | } |
| 191 | 191 | ||
| 192 | void | 192 | void |
| 193 | pubkey_auth_info(Authctxt *authctxt, const Key *key) | 193 | pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...) |
| 194 | { | 194 | { |
| 195 | char *fp; | 195 | char *fp, *extra; |
| 196 | va_list ap; | ||
| 197 | int i; | ||
| 198 | |||
| 199 | extra = NULL; | ||
| 200 | if (fmt != NULL) { | ||
| 201 | va_start(ap, fmt); | ||
| 202 | i = vasprintf(&extra, fmt, ap); | ||
| 203 | va_end(ap); | ||
| 204 | if (i < 0 || extra == NULL) | ||
| 205 | fatal("%s: vasprintf failed", __func__); | ||
| 206 | } | ||
| 196 | 207 | ||
| 197 | if (key_is_cert(key)) { | 208 | if (key_is_cert(key)) { |
| 198 | fp = key_fingerprint(key->cert->signature_key, | 209 | fp = key_fingerprint(key->cert->signature_key, |
| 199 | SSH_FP_MD5, SSH_FP_HEX); | 210 | SSH_FP_MD5, SSH_FP_HEX); |
| 200 | auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s", | 211 | auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s", |
| 201 | key_type(key), key->cert->key_id, | 212 | key_type(key), key->cert->key_id, |
| 202 | (unsigned long long)key->cert->serial, | 213 | (unsigned long long)key->cert->serial, |
| 203 | key_type(key->cert->signature_key), fp); | 214 | key_type(key->cert->signature_key), fp, |
| 215 | extra == NULL ? "" : ", ", extra == NULL ? "" : extra); | ||
| 204 | free(fp); | 216 | free(fp); |
| 205 | } else { | 217 | } else { |
| 206 | fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | 218 | fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); |
| 207 | auth_info(authctxt, "%s %s", key_type(key), fp); | 219 | auth_info(authctxt, "%s %s%s%s", key_type(key), fp, |
| 220 | extra == NULL ? "" : ", ", extra == NULL ? "" : extra); | ||
| 208 | free(fp); | 221 | free(fp); |
| 209 | } | 222 | } |
| 223 | free(extra); | ||
| 210 | } | 224 | } |
| 211 | 225 | ||
| 212 | static int | 226 | static int |
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: monitor.c,v 1.125 2013/05/19 02:42:42 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.126 2013/06/21 00:34:49 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
| 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
| @@ -1165,7 +1165,7 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
| 1165 | case MM_USERKEY: | 1165 | case MM_USERKEY: |
| 1166 | allowed = options.pubkey_authentication && | 1166 | allowed = options.pubkey_authentication && |
| 1167 | user_key_allowed(authctxt->pw, key); | 1167 | user_key_allowed(authctxt->pw, key); |
| 1168 | pubkey_auth_info(authctxt, key); | 1168 | pubkey_auth_info(authctxt, key, NULL); |
| 1169 | auth_method = "publickey"; | 1169 | auth_method = "publickey"; |
| 1170 | if (options.pubkey_authentication && allowed != 1) | 1170 | if (options.pubkey_authentication && allowed != 1) |
| 1171 | auth_clear_options(); | 1171 | auth_clear_options(); |
| @@ -1174,6 +1174,9 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
| 1174 | allowed = options.hostbased_authentication && | 1174 | allowed = options.hostbased_authentication && |
| 1175 | hostbased_key_allowed(authctxt->pw, | 1175 | hostbased_key_allowed(authctxt->pw, |
| 1176 | cuser, chost, key); | 1176 | cuser, chost, key); |
| 1177 | pubkey_auth_info(authctxt, key, | ||
| 1178 | "client user \"%.100s\", client host \"%.100s\"", | ||
| 1179 | cuser, chost); | ||
| 1177 | auth_method = "hostbased"; | 1180 | auth_method = "hostbased"; |
| 1178 | break; | 1181 | break; |
| 1179 | case MM_RSAHOSTKEY: | 1182 | case MM_RSAHOSTKEY: |