upstream: log certificate fingerprint in authentication

success/failure message (previously we logged only key ID and CA key fingerprint). ok markus@ OpenBSD-Commit-ID: a8ef2d172b7f1ddbcce26d6434b2de6d94f6c05d
author: djm@openbsd.org <djm@openbsd.org> 2018-09-12 01:19:12 +0000
committer: Damien Miller <djm@mindrot.org> 2018-09-12 16:48:18 +1000
commit: 50e2687ee0941c0ea216d6ffea370ffd2c1f14b9 (patch)
tree: ee504ec5120905a0a610833f53d9dde011e753a9
parent: de37ca909487d23e5844aca289b3f5e75d3f1e1f (diff)
1 files changed, 13 insertions, 9 deletions
diff --git a/auth.c b/auth.c
index 9a3bc96f1..3ca3762cc 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.132 2018/07/11 08:19:35 martijn Exp $ */
+/* $OpenBSD: auth.c,v 1.133 2018/09/12 01:19:12 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -275,22 +275,26 @@ format_method_key(Authctxt *authctxt)
 {
        const struct sshkey *key = authctxt->auth_method_key;
        const char *methinfo = authctxt->auth_method_info;
-        char *fp, *ret = NULL;
+        char *fp, *cafp, *ret = NULL;
        if (key == NULL)
                return NULL;
        if (sshkey_is_cert(key)) {
-                fp = sshkey_fingerprint(key->cert->signature_key,
+                fp = sshkey_fingerprint(key,
                    options.fingerprint_hash, SSH_FP_DEFAULT);
-                xasprintf(&ret, "%s ID %s (serial %llu) CA %s %s%s%s",
+                cafp = sshkey_fingerprint(key->cert->signature_key,
-                    sshkey_type(key), key->cert->key_id,
+                    options.fingerprint_hash, SSH_FP_DEFAULT);
+                xasprintf(&ret, "%s %s ID %s (serial %llu) CA %s %s%s%s",
+                    sshkey_type(key), fp == NULL ? "(null)" : fp,
+                    key->cert->key_id,
                    (unsigned long long)key->cert->serial,
                    sshkey_type(key->cert->signature_key),
-                    fp == NULL ? "(null)" : fp,
+                    cafp == NULL ? "(null)" : cafp,
                    methinfo == NULL ? "" : ", ",
                    methinfo == NULL ? "" : methinfo);
                free(fp);
+                free(cafp);
        } else {
                fp = sshkey_fingerprint(key, options.fingerprint_hash,
                    SSH_FP_DEFAULT);
@@ -308,7 +312,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
    const char *method, const char *submethod)
 {
        struct ssh *ssh = active_state; /* XXX */
-        void (*authlog) (const char *fmt,...) = verbose;
+        int level = SYSLOG_LEVEL_VERBOSE;
        const char *authmsg;
        char *extra = NULL;
@@ -320,7 +324,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
            !authctxt->valid ||
            authctxt->failures >= options.max_authtries / 2 ||
            strcmp(method, "password") == 0)
-                authlog = logit;
+                level = SYSLOG_LEVEL_INFO;
        if (authctxt->postponed)
                authmsg = "Postponed";
@@ -334,7 +338,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
                        extra = xstrdup(authctxt->auth_method_info);
        }
-        authlog("%s %s%s%s for %s%.100s from %.200s port %d ssh2%s%s",
+        do_log2(level, "%s %s%s%s for %s%.100s from %.200s port %d ssh2%s%s",
            authmsg,
            method,
            submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
author	djm@openbsd.org <djm@openbsd.org>	2018-09-12 01:19:12 +0000
committer	Damien Miller <djm@mindrot.org>	2018-09-12 16:48:18 +1000
commit	50e2687ee0941c0ea216d6ffea370ffd2c1f14b9 (patch)
tree	ee504ec5120905a0a610833f53d9dde011e753a9
parent	de37ca909487d23e5844aca289b3f5e75d3f1e1f (diff)