summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2013-07-18 16:10:09 +1000
committerDamien Miller <djm@mindrot.org>2013-07-18 16:10:09 +1000
commit20bdcd72365e8b3d51261993928cc47c5f0d7c8a (patch)
treedb4f44ba0f86b271a9493ce0d866941f0ac5a953
parent3071070b39e6d1722151c754cdc2b26640eaf45e (diff)
- djm@cvs.openbsd.org 2013/06/21 00:34:49
[auth-rsa.c auth.h auth2-hostbased.c auth2-pubkey.c monitor.c] for hostbased authentication, print the client host and user on the auth success/failure line; bz#2064, ok dtucker@
-rw-r--r--ChangeLog4
-rw-r--r--auth-rsa.c4
-rw-r--r--auth.h5
-rw-r--r--auth2-hostbased.c6
-rw-r--r--auth2-pubkey.c28
-rw-r--r--monitor.c7
6 files changed, 40 insertions, 14 deletions
diff --git a/ChangeLog b/ChangeLog
index e0781041e..f8e2c6858 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -12,6 +12,10 @@
12 - markus@cvs.openbsd.org 2013/06/20 19:15:06 12 - markus@cvs.openbsd.org 2013/06/20 19:15:06
13 [krl.c] 13 [krl.c]
14 don't leak the rdata blob on errors; ok djm@ 14 don't leak the rdata blob on errors; ok djm@
15 - djm@cvs.openbsd.org 2013/06/21 00:34:49
16 [auth-rsa.c auth.h auth2-hostbased.c auth2-pubkey.c monitor.c]
17 for hostbased authentication, print the client host and user on
18 the auth success/failure line; bz#2064, ok dtucker@
15 19
1620130702 2020130702
17 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config 21 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config
diff --git a/auth-rsa.c b/auth-rsa.c
index 92f0ad75c..b7a03fdc4 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth-rsa.c,v 1.83 2013/05/19 02:42:42 djm Exp $ */ 1/* $OpenBSD: auth-rsa.c,v 1.84 2013/06/21 00:34:49 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -332,7 +332,7 @@ auth_rsa(Authctxt *authctxt, BIGNUM *client_n)
332 * options; this will be reset if the options cause the 332 * options; this will be reset if the options cause the
333 * authentication to be rejected. 333 * authentication to be rejected.
334 */ 334 */
335 pubkey_auth_info(authctxt, key); 335 pubkey_auth_info(authctxt, key, NULL);
336 336
337 packet_send_debug("RSA authentication accepted."); 337 packet_send_debug("RSA authentication accepted.");
338 return (1); 338 return (1);
diff --git a/auth.h b/auth.h
index a406e1393..caf44adc0 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth.h,v 1.74 2013/05/19 02:42:42 djm Exp $ */ 1/* $OpenBSD: auth.h,v 1.75 2013/06/21 00:34:49 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -122,7 +122,8 @@ int auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
122int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); 122int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
123int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); 123int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
124int user_key_allowed(struct passwd *, Key *); 124int user_key_allowed(struct passwd *, Key *);
125void pubkey_auth_info(Authctxt *, const Key *); 125void pubkey_auth_info(Authctxt *, const Key *, const char *, ...)
126 __attribute__((__format__ (printf, 3, 4)));
126 127
127struct stat; 128struct stat;
128int auth_secure_path(const char *, struct stat *, const char *, uid_t, 129int auth_secure_path(const char *, struct stat *, const char *, uid_t,
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index e6d05e261..a344dcc1f 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-hostbased.c,v 1.15 2013/05/17 00:13:13 djm Exp $ */ 1/* $OpenBSD: auth2-hostbased.c,v 1.16 2013/06/21 00:34:49 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -116,6 +116,10 @@ userauth_hostbased(Authctxt *authctxt)
116#ifdef DEBUG_PK 116#ifdef DEBUG_PK
117 buffer_dump(&b); 117 buffer_dump(&b);
118#endif 118#endif
119
120 pubkey_auth_info(authctxt, key,
121 "client user \"%.100s\", client host \"%.100s\"", cuser, chost);
122
119 /* test for allowed key and correct signature */ 123 /* test for allowed key and correct signature */
120 authenticated = 0; 124 authenticated = 0;
121 if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && 125 if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 45306f839..2b3ecb104 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-pubkey.c,v 1.37 2013/05/19 02:38:28 djm Exp $ */ 1/* $OpenBSD: auth2-pubkey.c,v 1.38 2013/06/21 00:34:49 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -147,7 +147,7 @@ userauth_pubkey(Authctxt *authctxt)
147#ifdef DEBUG_PK 147#ifdef DEBUG_PK
148 buffer_dump(&b); 148 buffer_dump(&b);
149#endif 149#endif
150 pubkey_auth_info(authctxt, key); 150 pubkey_auth_info(authctxt, key, NULL);
151 151
152 /* test for correct signature */ 152 /* test for correct signature */
153 authenticated = 0; 153 authenticated = 0;
@@ -190,23 +190,37 @@ done:
190} 190}
191 191
192void 192void
193pubkey_auth_info(Authctxt *authctxt, const Key *key) 193pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
194{ 194{
195 char *fp; 195 char *fp, *extra;
196 va_list ap;
197 int i;
198
199 extra = NULL;
200 if (fmt != NULL) {
201 va_start(ap, fmt);
202 i = vasprintf(&extra, fmt, ap);
203 va_end(ap);
204 if (i < 0 || extra == NULL)
205 fatal("%s: vasprintf failed", __func__);
206 }
196 207
197 if (key_is_cert(key)) { 208 if (key_is_cert(key)) {
198 fp = key_fingerprint(key->cert->signature_key, 209 fp = key_fingerprint(key->cert->signature_key,
199 SSH_FP_MD5, SSH_FP_HEX); 210 SSH_FP_MD5, SSH_FP_HEX);
200 auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s", 211 auth_info(authctxt, "%s ID %s (serial %llu) CA %s %s%s%s",
201 key_type(key), key->cert->key_id, 212 key_type(key), key->cert->key_id,
202 (unsigned long long)key->cert->serial, 213 (unsigned long long)key->cert->serial,
203 key_type(key->cert->signature_key), fp); 214 key_type(key->cert->signature_key), fp,
215 extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
204 free(fp); 216 free(fp);
205 } else { 217 } else {
206 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); 218 fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
207 auth_info(authctxt, "%s %s", key_type(key), fp); 219 auth_info(authctxt, "%s %s%s%s", key_type(key), fp,
220 extra == NULL ? "" : ", ", extra == NULL ? "" : extra);
208 free(fp); 221 free(fp);
209 } 222 }
223 free(extra);
210} 224}
211 225
212static int 226static int
diff --git a/monitor.c b/monitor.c
index 7286126f5..0516f60a2 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.c,v 1.125 2013/05/19 02:42:42 djm Exp $ */ 1/* $OpenBSD: monitor.c,v 1.126 2013/06/21 00:34:49 djm Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -1165,7 +1165,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
1165 case MM_USERKEY: 1165 case MM_USERKEY:
1166 allowed = options.pubkey_authentication && 1166 allowed = options.pubkey_authentication &&
1167 user_key_allowed(authctxt->pw, key); 1167 user_key_allowed(authctxt->pw, key);
1168 pubkey_auth_info(authctxt, key); 1168 pubkey_auth_info(authctxt, key, NULL);
1169 auth_method = "publickey"; 1169 auth_method = "publickey";
1170 if (options.pubkey_authentication && allowed != 1) 1170 if (options.pubkey_authentication && allowed != 1)
1171 auth_clear_options(); 1171 auth_clear_options();
@@ -1174,6 +1174,9 @@ mm_answer_keyallowed(int sock, Buffer *m)
1174 allowed = options.hostbased_authentication && 1174 allowed = options.hostbased_authentication &&
1175 hostbased_key_allowed(authctxt->pw, 1175 hostbased_key_allowed(authctxt->pw,
1176 cuser, chost, key); 1176 cuser, chost, key);
1177 pubkey_auth_info(authctxt, key,
1178 "client user \"%.100s\", client host \"%.100s\"",
1179 cuser, chost);
1177 auth_method = "hostbased"; 1180 auth_method = "hostbased";
1178 break; 1181 break;
1179 case MM_RSAHOSTKEY: 1182 case MM_RSAHOSTKEY: