diff options
author | Damien Miller <djm@mindrot.org> | 2006-03-31 23:14:23 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2006-03-31 23:14:23 +1100 |
commit | 7a8f5b330dc7a98e7144ec119a7b5b0737a26708 (patch) | |
tree | ff3743ad84d2f393288fb2ee08298e17a06f47a2 | |
parent | e23209f4349343d75c66fd8c71a57942d8827f54 (diff) |
- dtucker@cvs.openbsd.org 2006/03/30 11:40:21
[auth.c monitor.c]
Prevent duplicate log messages when privsep=yes; ok djm@
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | auth.c | 6 | ||||
-rw-r--r-- | monitor.c | 18 |
3 files changed, 23 insertions, 6 deletions
@@ -37,6 +37,9 @@ | |||
37 | - dtucker@cvs.openbsd.org 2006/03/30 11:05:17 | 37 | - dtucker@cvs.openbsd.org 2006/03/30 11:05:17 |
38 | [ssh-keygen.c] | 38 | [ssh-keygen.c] |
39 | Correctly handle truncated files while converting keys; ok djm@ | 39 | Correctly handle truncated files while converting keys; ok djm@ |
40 | - dtucker@cvs.openbsd.org 2006/03/30 11:40:21 | ||
41 | [auth.c monitor.c] | ||
42 | Prevent duplicate log messages when privsep=yes; ok djm@ | ||
40 | 43 | ||
41 | 20060326 | 44 | 20060326 |
42 | - OpenBSD CVS Sync | 45 | - OpenBSD CVS Sync |
@@ -4486,4 +4489,4 @@ | |||
4486 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 4489 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
4487 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 4490 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
4488 | 4491 | ||
4489 | $Id: ChangeLog,v 1.4297 2006/03/31 12:13:35 djm Exp $ | 4492 | $Id: ChangeLog,v 1.4298 2006/03/31 12:14:23 djm Exp $ |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth.c,v 1.66 2006/03/25 13:17:01 djm Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.67 2006/03/30 11:40:21 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -61,6 +61,7 @@ | |||
61 | 61 | ||
62 | /* import */ | 62 | /* import */ |
63 | extern ServerOptions options; | 63 | extern ServerOptions options; |
64 | extern int use_privsep; | ||
64 | extern Buffer loginmsg; | 65 | extern Buffer loginmsg; |
65 | 66 | ||
66 | /* Debugging messages */ | 67 | /* Debugging messages */ |
@@ -237,6 +238,9 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) | |||
237 | void (*authlog) (const char *fmt,...) = verbose; | 238 | void (*authlog) (const char *fmt,...) = verbose; |
238 | char *authmsg; | 239 | char *authmsg; |
239 | 240 | ||
241 | if (use_privsep && !mm_is_monitor() && !authctxt->postponed) | ||
242 | return; | ||
243 | |||
240 | /* Raise logging level */ | 244 | /* Raise logging level */ |
241 | if (authenticated == 1 || | 245 | if (authenticated == 1 || |
242 | !authctxt->valid || | 246 | !authctxt->valid || |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.76 2006/03/25 13:17:02 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.77 2006/03/30 11:40:21 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -179,6 +179,7 @@ struct mon_table { | |||
179 | #define MON_ISAUTH 0x0004 /* Required for Authentication */ | 179 | #define MON_ISAUTH 0x0004 /* Required for Authentication */ |
180 | #define MON_AUTHDECIDE 0x0008 /* Decides Authentication */ | 180 | #define MON_AUTHDECIDE 0x0008 /* Decides Authentication */ |
181 | #define MON_ONCE 0x0010 /* Disable after calling */ | 181 | #define MON_ONCE 0x0010 /* Disable after calling */ |
182 | #define MON_ALOG 0x0020 /* Log auth attempt without authenticating */ | ||
182 | 183 | ||
183 | #define MON_AUTH (MON_ISAUTH|MON_AUTHDECIDE) | 184 | #define MON_AUTH (MON_ISAUTH|MON_AUTHDECIDE) |
184 | 185 | ||
@@ -239,8 +240,8 @@ struct mon_table mon_dispatch_proto15[] = { | |||
239 | {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, | 240 | {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey}, |
240 | {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, | 241 | {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid}, |
241 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, | 242 | {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, |
242 | {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH, mm_answer_rsa_keyallowed}, | 243 | {MONITOR_REQ_RSAKEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_rsa_keyallowed}, |
243 | {MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed}, | 244 | {MONITOR_REQ_KEYALLOWED, MON_ISAUTH|MON_ALOG, mm_answer_keyallowed}, |
244 | {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge}, | 245 | {MONITOR_REQ_RSACHALLENGE, MON_ONCE, mm_answer_rsa_challenge}, |
245 | {MONITOR_REQ_RSARESPONSE, MON_ONCE|MON_AUTHDECIDE, mm_answer_rsa_response}, | 246 | {MONITOR_REQ_RSARESPONSE, MON_ONCE|MON_AUTHDECIDE, mm_answer_rsa_response}, |
246 | #ifdef BSD_AUTH | 247 | #ifdef BSD_AUTH |
@@ -334,6 +335,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
334 | 335 | ||
335 | /* The first few requests do not require asynchronous access */ | 336 | /* The first few requests do not require asynchronous access */ |
336 | while (!authenticated) { | 337 | while (!authenticated) { |
338 | auth_method = "unknown"; | ||
337 | authenticated = monitor_read(pmonitor, mon_dispatch, &ent); | 339 | authenticated = monitor_read(pmonitor, mon_dispatch, &ent); |
338 | if (authenticated) { | 340 | if (authenticated) { |
339 | if (!(ent->flags & MON_AUTHDECIDE)) | 341 | if (!(ent->flags & MON_AUTHDECIDE)) |
@@ -356,7 +358,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
356 | #endif | 358 | #endif |
357 | } | 359 | } |
358 | 360 | ||
359 | if (ent->flags & MON_AUTHDECIDE) { | 361 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { |
360 | auth_log(authctxt, authenticated, auth_method, | 362 | auth_log(authctxt, authenticated, auth_method, |
361 | compat20 ? " ssh2" : ""); | 363 | compat20 ? " ssh2" : ""); |
362 | if (!authenticated) | 364 | if (!authenticated) |
@@ -366,6 +368,8 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
366 | 368 | ||
367 | if (!authctxt->valid) | 369 | if (!authctxt->valid) |
368 | fatal("%s: authenticated invalid user", __func__); | 370 | fatal("%s: authenticated invalid user", __func__); |
371 | if (strcmp(auth_method, "unknown") == 0) | ||
372 | fatal("%s: authentication method name unknown", __func__); | ||
369 | 373 | ||
370 | debug("%s: %s has been authenticated by privileged process", | 374 | debug("%s: %s has been authenticated by privileged process", |
371 | __func__, authctxt->user); | 375 | __func__, authctxt->user); |
@@ -992,17 +996,20 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
992 | case MM_USERKEY: | 996 | case MM_USERKEY: |
993 | allowed = options.pubkey_authentication && | 997 | allowed = options.pubkey_authentication && |
994 | user_key_allowed(authctxt->pw, key); | 998 | user_key_allowed(authctxt->pw, key); |
999 | auth_method = "publickey"; | ||
995 | break; | 1000 | break; |
996 | case MM_HOSTKEY: | 1001 | case MM_HOSTKEY: |
997 | allowed = options.hostbased_authentication && | 1002 | allowed = options.hostbased_authentication && |
998 | hostbased_key_allowed(authctxt->pw, | 1003 | hostbased_key_allowed(authctxt->pw, |
999 | cuser, chost, key); | 1004 | cuser, chost, key); |
1005 | auth_method = "hostbased"; | ||
1000 | break; | 1006 | break; |
1001 | case MM_RSAHOSTKEY: | 1007 | case MM_RSAHOSTKEY: |
1002 | key->type = KEY_RSA1; /* XXX */ | 1008 | key->type = KEY_RSA1; /* XXX */ |
1003 | allowed = options.rhosts_rsa_authentication && | 1009 | allowed = options.rhosts_rsa_authentication && |
1004 | auth_rhosts_rsa_key_allowed(authctxt->pw, | 1010 | auth_rhosts_rsa_key_allowed(authctxt->pw, |
1005 | cuser, chost, key); | 1011 | cuser, chost, key); |
1012 | auth_method = "rsa"; | ||
1006 | break; | 1013 | break; |
1007 | default: | 1014 | default: |
1008 | fatal("%s: unknown key type %d", __func__, type); | 1015 | fatal("%s: unknown key type %d", __func__, type); |
@@ -1023,6 +1030,8 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
1023 | hostbased_cuser = cuser; | 1030 | hostbased_cuser = cuser; |
1024 | hostbased_chost = chost; | 1031 | hostbased_chost = chost; |
1025 | } else { | 1032 | } else { |
1033 | /* Log failed attempt */ | ||
1034 | auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : ""); | ||
1026 | xfree(blob); | 1035 | xfree(blob); |
1027 | xfree(cuser); | 1036 | xfree(cuser); |
1028 | xfree(chost); | 1037 | xfree(chost); |
@@ -1390,6 +1399,7 @@ mm_answer_rsa_keyallowed(int sock, Buffer *m) | |||
1390 | 1399 | ||
1391 | debug3("%s entering", __func__); | 1400 | debug3("%s entering", __func__); |
1392 | 1401 | ||
1402 | auth_method = "rsa"; | ||
1393 | if (options.rsa_authentication && authctxt->valid) { | 1403 | if (options.rsa_authentication && authctxt->valid) { |
1394 | if ((client_n = BN_new()) == NULL) | 1404 | if ((client_n = BN_new()) == NULL) |
1395 | fatal("%s: BN_new", __func__); | 1405 | fatal("%s: BN_new", __func__); |