summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2012-12-03 09:53:20 +1100
committerDamien Miller <djm@mindrot.org>2012-12-03 09:53:20 +1100
commit15b05cfa17592da7470d7bd4b2de063188697471 (patch)
tree50686085795dc25237f6aabe4c2a5963f38a6e06
parentaa5b3f831417bac9538d2b6f21d55fef278e8926 (diff)
- djm@cvs.openbsd.org 2012/12/02 20:34:10
[auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c] [monitor.c monitor.h] Fixes logging of partial authentication when privsep is enabled Previously, we recorded "Failed xxx" since we reset authenticated before calling auth_log() in auth2.c. This adds an explcit "Partial" state. Add a "submethod" to auth_log() to report which submethod is used for keyboard-interactive. Fix multiple authentication when one of the methods is keyboard-interactive. ok markus@
Diffstat
-rw-r--r--ChangeLog14
-rw-r--r--auth.c12
-rw-r--r--auth.h10
-rw-r--r--auth1.c8
-rw-r--r--auth2-chall.c12
-rw-r--r--auth2-gss.c8
-rw-r--r--auth2-jpake.c4
-rw-r--r--auth2.c37
-rw-r--r--monitor.c25
-rw-r--r--monitor.h80
10 files changed, 123 insertions, 87 deletions
diff --git a/ChangeLog b/ChangeLog
index cee038727..9ed715925 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -29,6 +29,20 @@
29 - djm@cvs.openbsd.org 2012/11/14 02:32:15 29 - djm@cvs.openbsd.org 2012/11/14 02:32:15
30 [ssh-keygen.c] 30 [ssh-keygen.c]
31 allow the full range of unsigned serial numbers; 'fine' deraadt@ 31 allow the full range of unsigned serial numbers; 'fine' deraadt@
32 - djm@cvs.openbsd.org 2012/12/02 20:34:10
33 [auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c]
34 [monitor.c monitor.h]
35 Fixes logging of partial authentication when privsep is enabled
36 Previously, we recorded "Failed xxx" since we reset authenticated before
37 calling auth_log() in auth2.c. This adds an explcit "Partial" state.
38
39 Add a "submethod" to auth_log() to report which submethod is used
40 for keyboard-interactive.
41
42 Fix multiple authentication when one of the methods is
43 keyboard-interactive.
44
45 ok markus@
32 46
3320121107 4720121107
34 - (djm) OpenBSD CVS Sync 48 - (djm) OpenBSD CVS Sync
diff --git a/auth.c b/auth.c
index b5e1eefa0..7bc6f4021 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth.c,v 1.97 2012/10/30 21:29:54 djm Exp $ */ 1/* $OpenBSD: auth.c,v 1.98 2012/12/02 20:34:09 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -251,7 +251,8 @@ allowed_user(struct passwd * pw)
251} 251}
252 252
253void 253void
254auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) 254auth_log(Authctxt *authctxt, int authenticated, int partial,
255 const char *method, const char *submethod, const char *info)
255{ 256{
256 void (*authlog) (const char *fmt,...) = verbose; 257 void (*authlog) (const char *fmt,...) = verbose;
257 char *authmsg; 258 char *authmsg;
@@ -268,12 +269,15 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
268 269
269 if (authctxt->postponed) 270 if (authctxt->postponed)
270 authmsg = "Postponed"; 271 authmsg = "Postponed";
272 else if (partial)
273 authmsg = "Partial";
271 else 274 else
272 authmsg = authenticated ? "Accepted" : "Failed"; 275 authmsg = authenticated ? "Accepted" : "Failed";
273 276
274 authlog("%s %s for %s%.100s from %.200s port %d%s", 277 authlog("%s %s%s%s for %s%.100s from %.200s port %d%s",
275 authmsg, 278 authmsg,
276 method, 279 method,
280 submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
277 authctxt->valid ? "" : "invalid user ", 281 authctxt->valid ? "" : "invalid user ",
278 authctxt->user, 282 authctxt->user,
279 get_remote_ipaddr(), 283 get_remote_ipaddr(),
@@ -303,7 +307,7 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
303 * Check whether root logins are disallowed. 307 * Check whether root logins are disallowed.
304 */ 308 */
305int 309int
306auth_root_allowed(char *method) 310auth_root_allowed(const char *method)
307{ 311{
308 switch (options.permit_root_login) { 312 switch (options.permit_root_login) {
309 case PERMIT_YES: 313 case PERMIT_YES:
diff --git a/auth.h b/auth.h
index 8920c7dae..c6fe84722 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth.h,v 1.71 2012/11/04 11:09:15 djm Exp $ */ 1/* $OpenBSD: auth.h,v 1.72 2012/12/02 20:34:09 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -148,10 +148,12 @@ void disable_forwarding(void);
148void do_authentication(Authctxt *); 148void do_authentication(Authctxt *);
149void do_authentication2(Authctxt *); 149void do_authentication2(Authctxt *);
150 150
151void auth_log(Authctxt *, int, char *, char *); 151void auth_log(Authctxt *, int, int, const char *, const char *,
152void userauth_finish(Authctxt *, int, char *); 152 const char *);
153void userauth_finish(Authctxt *, int, const char *, const char *);
154int auth_root_allowed(const char *);
155
153void userauth_send_banner(const char *); 156void userauth_send_banner(const char *);
154int auth_root_allowed(char *);
155 157
156char *auth2_read_banner(void); 158char *auth2_read_banner(void);
157int auth2_methods_valid(const char *, int); 159int auth2_methods_valid(const char *, int);
diff --git a/auth1.c b/auth1.c
index fb37fadfe..6eea8d81e 100644
--- a/auth1.c
+++ b/auth1.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth1.c,v 1.76 2012/11/04 11:09:15 djm Exp $ */ 1/* $OpenBSD: auth1.c,v 1.77 2012/12/02 20:34:09 djm Exp $ */
2/* 2/*
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved 4 * All rights reserved
@@ -253,7 +253,8 @@ do_authloop(Authctxt *authctxt)
253 if (options.use_pam && (PRIVSEP(do_pam_account()))) 253 if (options.use_pam && (PRIVSEP(do_pam_account())))
254#endif 254#endif
255 { 255 {
256 auth_log(authctxt, 1, "without authentication", ""); 256 auth_log(authctxt, 1, 0, "without authentication",
257 NULL, "");
257 return; 258 return;
258 } 259 }
259 } 260 }
@@ -352,7 +353,8 @@ do_authloop(Authctxt *authctxt)
352 353
353 skip: 354 skip:
354 /* Log before sending the reply */ 355 /* Log before sending the reply */
355 auth_log(authctxt, authenticated, get_authname(type), info); 356 auth_log(authctxt, authenticated, 0, get_authname(type),
357 NULL, info);
356 358
357 if (client_user != NULL) { 359 if (client_user != NULL) {
358 xfree(client_user); 360 xfree(client_user);
diff --git a/auth2-chall.c b/auth2-chall.c
index e6dbffe22..8fdb33498 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-chall.c,v 1.34 2008/12/09 04:32:22 djm Exp $ */ 1/* $OpenBSD: auth2-chall.c,v 1.35 2012/12/02 20:34:09 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2001 Markus Friedl. All rights reserved. 3 * Copyright (c) 2001 Markus Friedl. All rights reserved.
4 * Copyright (c) 2001 Per Allansson. All rights reserved. 4 * Copyright (c) 2001 Per Allansson. All rights reserved.
@@ -283,7 +283,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
283 KbdintAuthctxt *kbdintctxt; 283 KbdintAuthctxt *kbdintctxt;
284 int authenticated = 0, res; 284 int authenticated = 0, res;
285 u_int i, nresp; 285 u_int i, nresp;
286 char **response = NULL, *method; 286 char *devicename = NULL, **response = NULL;
287 287
288 if (authctxt == NULL) 288 if (authctxt == NULL)
289 fatal("input_userauth_info_response: no authctxt"); 289 fatal("input_userauth_info_response: no authctxt");
@@ -329,9 +329,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
329 /* Failure! */ 329 /* Failure! */
330 break; 330 break;
331 } 331 }
332 332 devicename = kbdintctxt->device->name;
333 xasprintf(&method, "keyboard-interactive/%s", kbdintctxt->device->name);
334
335 if (!authctxt->postponed) { 333 if (!authctxt->postponed) {
336 if (authenticated) { 334 if (authenticated) {
337 auth2_challenge_stop(authctxt); 335 auth2_challenge_stop(authctxt);
@@ -341,8 +339,8 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
341 auth2_challenge_start(authctxt); 339 auth2_challenge_start(authctxt);
342 } 340 }
343 } 341 }
344 userauth_finish(authctxt, authenticated, method); 342 userauth_finish(authctxt, authenticated, "keyboard-interactive",
345 xfree(method); 343 devicename);
346} 344}
347 345
348void 346void
diff --git a/auth2-gss.c b/auth2-gss.c
index 0d59b2177..93d576bfb 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-gss.c,v 1.17 2011/03/10 02:52:57 djm Exp $ */ 1/* $OpenBSD: auth2-gss.c,v 1.18 2012/12/02 20:34:09 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. 4 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -163,7 +163,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt)
163 } 163 }
164 authctxt->postponed = 0; 164 authctxt->postponed = 0;
165 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 165 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
166 userauth_finish(authctxt, 0, "gssapi-with-mic"); 166 userauth_finish(authctxt, 0, "gssapi-with-mic", NULL);
167 } else { 167 } else {
168 if (send_tok.length != 0) { 168 if (send_tok.length != 0) {
169 packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); 169 packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
@@ -251,7 +251,7 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
251 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); 251 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
252 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); 252 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
253 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 253 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
254 userauth_finish(authctxt, authenticated, "gssapi-with-mic"); 254 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
255} 255}
256 256
257static void 257static void
@@ -291,7 +291,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
291 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); 291 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
292 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); 292 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
293 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 293 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
294 userauth_finish(authctxt, authenticated, "gssapi-with-mic"); 294 userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
295} 295}
296 296
297Authmethod method_gssapi = { 297Authmethod method_gssapi = {
diff --git a/auth2-jpake.c b/auth2-jpake.c
index a460e8216..ed0eba47b 100644
--- a/auth2-jpake.c
+++ b/auth2-jpake.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2-jpake.c,v 1.4 2010/08/31 11:54:45 djm Exp $ */ 1/* $OpenBSD: auth2-jpake.c,v 1.5 2012/12/02 20:34:09 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2008 Damien Miller. All rights reserved. 3 * Copyright (c) 2008 Damien Miller. All rights reserved.
4 * 4 *
@@ -556,7 +556,7 @@ input_userauth_jpake_client_confirm(int type, u_int32_t seq, void *ctxt)
556 authctxt->postponed = 0; 556 authctxt->postponed = 0;
557 jpake_free(authctxt->jpake_ctx); 557 jpake_free(authctxt->jpake_ctx);
558 authctxt->jpake_ctx = NULL; 558 authctxt->jpake_ctx = NULL;
559 userauth_finish(authctxt, authenticated, method_jpake.name); 559 userauth_finish(authctxt, authenticated, method_jpake.name, NULL);
560} 560}
561 561
562#endif /* JPAKE */ 562#endif /* JPAKE */
diff --git a/auth2.c b/auth2.c
index 8114ec863..e367a1045 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth2.c,v 1.125 2012/11/04 11:09:15 djm Exp $ */ 1/* $OpenBSD: auth2.c,v 1.126 2012/12/02 20:34:09 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -286,7 +286,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
286 debug2("input_userauth_request: try method %s", method); 286 debug2("input_userauth_request: try method %s", method);
287 authenticated = m->userauth(authctxt); 287 authenticated = m->userauth(authctxt);
288 } 288 }
289 userauth_finish(authctxt, authenticated, method); 289 userauth_finish(authctxt, authenticated, method, NULL);
290 290
291 xfree(service); 291 xfree(service);
292 xfree(user); 292 xfree(user);
@@ -294,7 +294,8 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
294} 294}
295 295
296void 296void
297userauth_finish(Authctxt *authctxt, int authenticated, char *method) 297userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
298 const char *submethod)
298{ 299{
299 char *methods; 300 char *methods;
300 int partial = 0; 301 int partial = 0;
@@ -302,6 +303,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
302 if (!authctxt->valid && authenticated) 303 if (!authctxt->valid && authenticated)
303 fatal("INTERNAL ERROR: authenticated invalid user %s", 304 fatal("INTERNAL ERROR: authenticated invalid user %s",
304 authctxt->user); 305 authctxt->user);
306 if (authenticated && authctxt->postponed)
307 fatal("INTERNAL ERROR: authenticated and postponed");
305 308
306 /* Special handling for root */ 309 /* Special handling for root */
307 if (authenticated && authctxt->pw->pw_uid == 0 && 310 if (authenticated && authctxt->pw->pw_uid == 0 &&
@@ -312,6 +315,19 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
312#endif 315#endif
313 } 316 }
314 317
318 if (authenticated && options.num_auth_methods != 0) {
319 if (!auth2_update_methods_lists(authctxt, method)) {
320 authenticated = 0;
321 partial = 1;
322 }
323 }
324
325 /* Log before sending the reply */
326 auth_log(authctxt, authenticated, partial, method, submethod, " ssh2");
327
328 if (authctxt->postponed)
329 return;
330
315#ifdef USE_PAM 331#ifdef USE_PAM
316 if (options.use_pam && authenticated) { 332 if (options.use_pam && authenticated) {
317 if (!PRIVSEP(do_pam_account())) { 333 if (!PRIVSEP(do_pam_account())) {
@@ -330,23 +346,10 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
330#ifdef _UNICOS 346#ifdef _UNICOS
331 if (authenticated && cray_access_denied(authctxt->user)) { 347 if (authenticated && cray_access_denied(authctxt->user)) {
332 authenticated = 0; 348 authenticated = 0;
333 fatal("Access denied for user %s.",authctxt->user); 349 fatal("Access denied for user %s.", authctxt->user);
334 } 350 }
335#endif /* _UNICOS */ 351#endif /* _UNICOS */
336 352
337 /* Log before sending the reply */
338 auth_log(authctxt, authenticated, method, " ssh2");
339
340 if (authctxt->postponed)
341 return;
342
343 if (authenticated && options.num_auth_methods != 0) {
344 if (!auth2_update_methods_lists(authctxt, method)) {
345 authenticated = 0;
346 partial = 1;
347 }
348 }
349
350 if (authenticated == 1) { 353 if (authenticated == 1) {
351 /* turn off userauth */ 354 /* turn off userauth */
352 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); 355 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
diff --git a/monitor.c b/monitor.c
index 0adbf3a65..1cfc48757 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.c,v 1.118 2012/11/04 11:09:15 djm Exp $ */ 1/* $OpenBSD: monitor.c,v 1.119 2012/12/02 20:34:10 djm Exp $ */
2/* 2/*
3 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 3 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
4 * Copyright 2002 Markus Friedl <markus@openbsd.org> 4 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -199,6 +199,7 @@ static int key_blobtype = MM_NOKEY;
199static char *hostbased_cuser = NULL; 199static char *hostbased_cuser = NULL;
200static char *hostbased_chost = NULL; 200static char *hostbased_chost = NULL;
201static char *auth_method = "unknown"; 201static char *auth_method = "unknown";
202static char *auth_submethod = NULL;
202static u_int session_id2_len = 0; 203static u_int session_id2_len = 0;
203static u_char *session_id2 = NULL; 204static u_char *session_id2 = NULL;
204static pid_t monitor_child_pid; 205static pid_t monitor_child_pid;
@@ -352,7 +353,7 @@ void
352monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) 353monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
353{ 354{
354 struct mon_table *ent; 355 struct mon_table *ent;
355 int authenticated = 0; 356 int authenticated = 0, partial = 0;
356 357
357 debug3("preauth child monitor started"); 358 debug3("preauth child monitor started");
358 359
@@ -379,7 +380,9 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
379 380
380 /* The first few requests do not require asynchronous access */ 381 /* The first few requests do not require asynchronous access */
381 while (!authenticated) { 382 while (!authenticated) {
383 partial = 0;
382 auth_method = "unknown"; 384 auth_method = "unknown";
385 auth_submethod = NULL;
383 authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); 386 authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
384 387
385 /* Special handling for multiple required authentications */ 388 /* Special handling for multiple required authentications */
@@ -393,6 +396,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
393 debug3("%s: method %s: partial", __func__, 396 debug3("%s: method %s: partial", __func__,
394 auth_method); 397 auth_method);
395 authenticated = 0; 398 authenticated = 0;
399 partial = 1;
396 } 400 }
397 } 401 }
398 402
@@ -417,7 +421,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
417#endif 421#endif
418 } 422 }
419 if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { 423 if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {
420 auth_log(authctxt, authenticated, auth_method, 424 auth_log(authctxt, authenticated, partial,
425 auth_method, auth_submethod,
421 compat20 ? " ssh2" : ""); 426 compat20 ? " ssh2" : "");
422 if (!authenticated) 427 if (!authenticated)
423 authctxt->failures++; 428 authctxt->failures++;
@@ -943,7 +948,7 @@ mm_answer_bsdauthrespond(int sock, Buffer *m)
943 mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); 948 mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
944 949
945 if (compat20) 950 if (compat20)
946 auth_method = "keyboard-interactive"; 951 auth_method = "keyboard-interactive"; /* XXX auth_submethod */
947 else 952 else
948 auth_method = "bsdauth"; 953 auth_method = "bsdauth";
949 954
@@ -1084,7 +1089,8 @@ mm_answer_pam_query(int sock, Buffer *m)
1084 xfree(prompts); 1089 xfree(prompts);
1085 if (echo_on != NULL) 1090 if (echo_on != NULL)
1086 xfree(echo_on); 1091 xfree(echo_on);
1087 auth_method = "keyboard-interactive/pam"; 1092 auth_method = "keyboard-interactive";
1093 auth_submethod = "pam";
1088 mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); 1094 mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
1089 return (0); 1095 return (0);
1090} 1096}
@@ -1113,7 +1119,8 @@ mm_answer_pam_respond(int sock, Buffer *m)
1113 buffer_clear(m); 1119 buffer_clear(m);
1114 buffer_put_int(m, ret); 1120 buffer_put_int(m, ret);
1115 mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); 1121 mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
1116 auth_method = "keyboard-interactive/pam"; 1122 auth_method = "keyboard-interactive";
1123 auth_submethod = "pam";
1117 if (ret == 0) 1124 if (ret == 0)
1118 sshpam_authok = sshpam_ctxt; 1125 sshpam_authok = sshpam_ctxt;
1119 return (0); 1126 return (0);
@@ -1127,7 +1134,8 @@ mm_answer_pam_free_ctx(int sock, Buffer *m)
1127 (sshpam_device.free_ctx)(sshpam_ctxt); 1134 (sshpam_device.free_ctx)(sshpam_ctxt);
1128 buffer_clear(m); 1135 buffer_clear(m);
1129 mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); 1136 mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
1130 auth_method = "keyboard-interactive/pam"; 1137 auth_method = "keyboard-interactive";
1138 auth_submethod = "pam";
1131 return (sshpam_authok == sshpam_ctxt); 1139 return (sshpam_authok == sshpam_ctxt);
1132} 1140}
1133#endif 1141#endif
@@ -1201,7 +1209,8 @@ mm_answer_keyallowed(int sock, Buffer *m)
1201 hostbased_chost = chost; 1209 hostbased_chost = chost;
1202 } else { 1210 } else {
1203 /* Log failed attempt */ 1211 /* Log failed attempt */
1204 auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : ""); 1212 auth_log(authctxt, 0, 0, auth_method, NULL,
1213 compat20 ? " ssh2" : "");
1205 xfree(blob); 1214 xfree(blob);
1206 xfree(cuser); 1215 xfree(cuser);
1207 xfree(chost); 1216 xfree(chost);
diff --git a/monitor.h b/monitor.h
index 5e7d552fb..2caa46933 100644
--- a/monitor.h
+++ b/monitor.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: monitor.h,v 1.16 2011/06/17 21:44:31 djm Exp $ */ 1/* $OpenBSD: monitor.h,v 1.17 2012/12/02 20:34:10 djm Exp $ */
2 2
3/* 3/*
4 * Copyright 2002 Niels Provos <provos@citi.umich.edu> 4 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -28,44 +28,48 @@
28#ifndef _MONITOR_H_ 28#ifndef _MONITOR_H_
29#define _MONITOR_H_ 29#define _MONITOR_H_
30 30
31/* Please keep *_REQ_* values on even numbers and *_ANS_* on odd numbers */
31enum monitor_reqtype { 32enum monitor_reqtype {
32 MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, 33 MONITOR_REQ_MODULI = 0, MONITOR_ANS_MODULI = 1,
33 MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, 34 MONITOR_REQ_FREE = 2,
34 MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, 35 MONITOR_REQ_AUTHSERV = 4,
35 MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, 36 MONITOR_REQ_SIGN = 6, MONITOR_ANS_SIGN = 7,
36 MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, 37 MONITOR_REQ_PWNAM = 8, MONITOR_ANS_PWNAM = 9,
37 MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD, 38 MONITOR_REQ_AUTH2_READ_BANNER = 10, MONITOR_ANS_AUTH2_READ_BANNER = 11,
38 MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY, 39 MONITOR_REQ_AUTHPASSWORD = 12, MONITOR_ANS_AUTHPASSWORD = 13,
39 MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND, 40 MONITOR_REQ_BSDAUTHQUERY = 14, MONITOR_ANS_BSDAUTHQUERY = 15,
40 MONITOR_REQ_SKEYQUERY, MONITOR_ANS_SKEYQUERY, 41 MONITOR_REQ_BSDAUTHRESPOND = 16, MONITOR_ANS_BSDAUTHRESPOND = 17,
41 MONITOR_REQ_SKEYRESPOND, MONITOR_ANS_SKEYRESPOND, 42 MONITOR_REQ_SKEYQUERY = 18, MONITOR_ANS_SKEYQUERY = 19,
42 MONITOR_REQ_KEYALLOWED, MONITOR_ANS_KEYALLOWED, 43 MONITOR_REQ_SKEYRESPOND = 20, MONITOR_ANS_SKEYRESPOND = 21,
43 MONITOR_REQ_KEYVERIFY, MONITOR_ANS_KEYVERIFY, 44 MONITOR_REQ_KEYALLOWED = 22, MONITOR_ANS_KEYALLOWED = 23,
44 MONITOR_REQ_KEYEXPORT, 45 MONITOR_REQ_KEYVERIFY = 24, MONITOR_ANS_KEYVERIFY = 25,
45 MONITOR_REQ_PTY, MONITOR_ANS_PTY, 46 MONITOR_REQ_KEYEXPORT = 26,
46 MONITOR_REQ_PTYCLEANUP, 47 MONITOR_REQ_PTY = 28, MONITOR_ANS_PTY = 29,
47 MONITOR_REQ_SESSKEY, MONITOR_ANS_SESSKEY, 48 MONITOR_REQ_PTYCLEANUP = 30,
48 MONITOR_REQ_SESSID, 49 MONITOR_REQ_SESSKEY = 32, MONITOR_ANS_SESSKEY = 33,
49 MONITOR_REQ_RSAKEYALLOWED, MONITOR_ANS_RSAKEYALLOWED, 50 MONITOR_REQ_SESSID = 34,
50 MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE, 51 MONITOR_REQ_RSAKEYALLOWED = 36, MONITOR_ANS_RSAKEYALLOWED = 37,
51 MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, 52 MONITOR_REQ_RSACHALLENGE = 38, MONITOR_ANS_RSACHALLENGE = 39,
52 MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP, 53 MONITOR_REQ_RSARESPONSE = 40, MONITOR_ANS_RSARESPONSE = 41,
53 MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, 54 MONITOR_REQ_GSSSETUP = 42, MONITOR_ANS_GSSSETUP = 43,
54 MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, 55 MONITOR_REQ_GSSSTEP = 44, MONITOR_ANS_GSSSTEP = 45,
55 MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC, 56 MONITOR_REQ_GSSUSEROK = 46, MONITOR_ANS_GSSUSEROK = 47,
56 MONITOR_REQ_PAM_START, 57 MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
57 MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, 58 MONITOR_REQ_TERM = 50,
58 MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, 59 MONITOR_REQ_JPAKE_STEP1 = 52, MONITOR_ANS_JPAKE_STEP1 = 53,
59 MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY, 60 MONITOR_REQ_JPAKE_GET_PWDATA = 54, MONITOR_ANS_JPAKE_GET_PWDATA = 55,
60 MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND, 61 MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57,
61 MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX, 62 MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59,
62 MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND, 63 MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61,
63 MONITOR_REQ_TERM, 64
64 MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1, 65 MONITOR_REQ_PAM_START = 100,
65 MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA, 66 MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
66 MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2, 67 MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
67 MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM, 68 MONITOR_REQ_PAM_QUERY = 106, MONITOR_ANS_PAM_QUERY = 107,
68 MONITOR_REQ_JPAKE_CHECK_CONFIRM, MONITOR_ANS_JPAKE_CHECK_CONFIRM, 69 MONITOR_REQ_PAM_RESPOND = 108, MONITOR_ANS_PAM_RESPOND = 109,
70 MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
71 MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
72
69}; 73};
70 74
71struct mm_master; 75struct mm_master;
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-26 17:48:23 +0000