summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2018-09-12 01:19:12 +0000
committerDamien Miller <djm@mindrot.org>2018-09-12 16:48:18 +1000
commit50e2687ee0941c0ea216d6ffea370ffd2c1f14b9 (patch)
treeee504ec5120905a0a610833f53d9dde011e753a9
parentde37ca909487d23e5844aca289b3f5e75d3f1e1f (diff)
upstream: log certificate fingerprint in authentication
success/failure message (previously we logged only key ID and CA key fingerprint). ok markus@ OpenBSD-Commit-ID: a8ef2d172b7f1ddbcce26d6434b2de6d94f6c05d
-rw-r--r--auth.c22
1 files changed, 13 insertions, 9 deletions
diff --git a/auth.c b/auth.c
index 9a3bc96f1..3ca3762cc 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth.c,v 1.132 2018/07/11 08:19:35 martijn Exp $ */ 1/* $OpenBSD: auth.c,v 1.133 2018/09/12 01:19:12 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -275,22 +275,26 @@ format_method_key(Authctxt *authctxt)
275{ 275{
276 const struct sshkey *key = authctxt->auth_method_key; 276 const struct sshkey *key = authctxt->auth_method_key;
277 const char *methinfo = authctxt->auth_method_info; 277 const char *methinfo = authctxt->auth_method_info;
278 char *fp, *ret = NULL; 278 char *fp, *cafp, *ret = NULL;
279 279
280 if (key == NULL) 280 if (key == NULL)
281 return NULL; 281 return NULL;
282 282
283 if (sshkey_is_cert(key)) { 283 if (sshkey_is_cert(key)) {
284 fp = sshkey_fingerprint(key->cert->signature_key, 284 fp = sshkey_fingerprint(key,
285 options.fingerprint_hash, SSH_FP_DEFAULT); 285 options.fingerprint_hash, SSH_FP_DEFAULT);
286 xasprintf(&ret, "%s ID %s (serial %llu) CA %s %s%s%s", 286 cafp = sshkey_fingerprint(key->cert->signature_key,
287 sshkey_type(key), key->cert->key_id, 287 options.fingerprint_hash, SSH_FP_DEFAULT);
288 xasprintf(&ret, "%s %s ID %s (serial %llu) CA %s %s%s%s",
289 sshkey_type(key), fp == NULL ? "(null)" : fp,
290 key->cert->key_id,
288 (unsigned long long)key->cert->serial, 291 (unsigned long long)key->cert->serial,
289 sshkey_type(key->cert->signature_key), 292 sshkey_type(key->cert->signature_key),
290 fp == NULL ? "(null)" : fp, 293 cafp == NULL ? "(null)" : cafp,
291 methinfo == NULL ? "" : ", ", 294 methinfo == NULL ? "" : ", ",
292 methinfo == NULL ? "" : methinfo); 295 methinfo == NULL ? "" : methinfo);
293 free(fp); 296 free(fp);
297 free(cafp);
294 } else { 298 } else {
295 fp = sshkey_fingerprint(key, options.fingerprint_hash, 299 fp = sshkey_fingerprint(key, options.fingerprint_hash,
296 SSH_FP_DEFAULT); 300 SSH_FP_DEFAULT);
@@ -308,7 +312,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
308 const char *method, const char *submethod) 312 const char *method, const char *submethod)
309{ 313{
310 struct ssh *ssh = active_state; /* XXX */ 314 struct ssh *ssh = active_state; /* XXX */
311 void (*authlog) (const char *fmt,...) = verbose; 315 int level = SYSLOG_LEVEL_VERBOSE;
312 const char *authmsg; 316 const char *authmsg;
313 char *extra = NULL; 317 char *extra = NULL;
314 318
@@ -320,7 +324,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
320 !authctxt->valid || 324 !authctxt->valid ||
321 authctxt->failures >= options.max_authtries / 2 || 325 authctxt->failures >= options.max_authtries / 2 ||
322 strcmp(method, "password") == 0) 326 strcmp(method, "password") == 0)
323 authlog = logit; 327 level = SYSLOG_LEVEL_INFO;
324 328
325 if (authctxt->postponed) 329 if (authctxt->postponed)
326 authmsg = "Postponed"; 330 authmsg = "Postponed";
@@ -334,7 +338,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
334 extra = xstrdup(authctxt->auth_method_info); 338 extra = xstrdup(authctxt->auth_method_info);
335 } 339 }
336 340
337 authlog("%s %s%s%s for %s%.100s from %.200s port %d ssh2%s%s", 341 do_log2(level, "%s %s%s%s for %s%.100s from %.200s port %d ssh2%s%s",
338 authmsg, 342 authmsg,
339 method, 343 method,
340 submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, 344 submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,